Re: [ipfix-eval] draft-leinen-ipfix-eval-contrib-00.txt
Benoit Claise <bclaise@cisco.com> Mon, 28 October 2002 16:00 UTC
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA15773 for <ipfix-archive@lists.ietf.org>; Mon, 28 Oct 2002 11:00:37 -0500 (EST)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 186C6x-0007M5-00 for ipfix-list@mil.doit.wisc.edu; Mon, 28 Oct 2002 09:47:27 -0600
Received: from odd-brew.cisco.com ([144.254.15.119] helo=strange-brew.cisco.com) by mil.doit.wisc.edu with esmtp (Exim 3.13 #1) id 186C6u-0007Km-00 for ipfix-eval@net.doit.wisc.edu; Mon, 28 Oct 2002 09:47:24 -0600
Received: from cisco.com (dhcp-peg3-vl30-144-254-7-44.cisco.com [144.254.7.44]) by strange-brew.cisco.com (8.11.6+Sun/8.8.8) with ESMTP id g9SFkp726420; Mon, 28 Oct 2002 16:46:51 +0100 (CET)
Message-ID: <3DBD5BEB.5000806@cisco.com>
Date: Mon, 28 Oct 2002 16:46:51 +0100
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.1) Gecko/20020815
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Simon Leinen <simon@limmat.switch.ch>
CC: ipfix-eval@net.doit.wisc.edu
Subject: Re: [ipfix-eval] draft-leinen-ipfix-eval-contrib-00.txt
References: <15805.13639.378299.410135@limmat.switch.ch>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
X-MIME-Autoconverted: from 8bit to quoted-printable by strange-brew.cisco.com id g9SFkp726420
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by ietf.org id LAA15773
Simon, >I decided to submit an updated version of my "Individual Evaluation" >I-D for reference, because it contains some rationale that is missing >from the first version of the evaluation team I-D. Since I hadn't >submitted the first version to the I-D repository, I had to change the >title rather than the serial number. Full text is attached. > >Changes from the first version (which had been circulated on the >ipfix-eval mailing list) include: > > Changed name from draft-leinen-ipfix-eval-00.txt to > draft-leinen-ipfix-eval-contrib-00.txt. > > Added text about benefit/cost of split reporting à la LFAP. > > Added text about benefits of server-selected byte ordering à la > CRANE. > > Added text about LFAP's multi-record encoding. > > Added text about NetFlow v9's periodical reporting requirement for > option and template data, and how this could be relaxed for > reporting asynchronous events, in particular when a reliable > transport is used. > > (Opinionated Conclusions): Removed entire section. > Why have you removed your conclusions? After the extensive comparison you've been conducting, I was thinking this was the most valuable section! Regards, Benoit. > > (Acknowledgements): New section. > > (References): Completed LFAP-MIB reference. > > >------------------------------------------------------------------------ > > >Internet Draft Simon Leinen >Document: draft-leinen-ipfix-eval-contrib-00.txt SWITCH >Expires: April 2003 > > October 2002 > > > Individual Evaluation Of IPFIX Protocol Candidates > > <draft-leinen-ipfix-eval-contrib-00.txt> > >Status of this Memo > > This document is an Internet-Draft and is in full conformance with > all provisions of Section 10 of [RFC 2026]. Internet-Drafts are > working documents of the Internet Engineering Task Force (IETF), its > areas, and its working groups. Note that other groups may also > distribute working documents as Internet-Drafts. > > Internet-Drafts are draft documents valid for a maximum of six months > and may be updated, replaced, or obsoleted by other documents at any > time. It is inappropriate to use Internet-Drafts as reference > material or to cite them other than as "work in progress." > > The list of current Internet-Drafts can be accessed at > http://www.ietf.org/ietf/1id-abstracts.txt > > The list of Internet-Draft Shadow Directories can be accessed at > http://www.ietf.org/shadow.html > > Distribution of this document is unlimited. > >Copyright Notice > > Copyright (C) The Internet Society (2002). All Rights Reserved. > > >Abstract > > This document contains one individual evaluation team member's > contribution to the selection process for an IP Flow Information > Export (IPFIX) protocol. The five candidate protocols are outlined > and grouped in broad categories, and evaluated against specific > requirements. > > > > > > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 1] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >Table of Contents > > 1 Introduction ................................................. 3 > 2 Protocol Summaries ........................................... 3 > 2.1 CRANE ...................................................... 3 > 2.1.1 CRANE Protocol Operation ................................. 4 > 2.1.2 CRANE Data Encoding ...................................... 4 > 2.2 Diameter ................................................... 4 > 2.2.1 Diameter Protocol Operation .............................. 5 > 2.2.2 Diameter Data Encoding ................................... 5 > 2.3 LFAP ....................................................... 5 > 2.3.1 LFAP Protocol Operation .................................. 5 > 2.3.2 LFAP Data Encoding ....................................... 6 > 2.4 NetFlow v9 ................................................. 6 > 2.4.1 NetFlow Protocol Operation ............................... 6 > 2.4.2 NetFlow Data Encoding .................................... 6 > 2.5 Streaming IPDR ............................................. 6 > 2.5.1 Streaming IPDR Protocol Operation ........................ 7 > 2.5.2 Streaming IPDR Data Encoding ............................. 7 > 3 Broad Classification of Candidate Protocols .................. 7 > 3.1 Design Goals ............................................... 7 > 3.1.1 High-Performance Flow Metering (NetFlow, LFAP) ........... 7 > 3.1.2 Carrier-Grade Multi-Purpose Accounting (IPDR, CRANE) ..... 8 > 3.1.3 General-Purpose AAA (Diameter) ........................... 8 > 3.2 Data Representation ........................................ 8 > 3.2.1 Externally Described Encoding (CRANE, IPDR, NetFlow) ..... 8 > 3.2.2 Partly Self-describing Encoding (Diameter, LFAP) ......... 9 > 3.3 Protocol Flow .............................................. 9 > 3.3.1 Mainly Unidirectional Protocols (IPDR, NetFlow) .......... 9 > 3.3.2 Bidirectional Protocols (CRANE, LFAP) .................... 9 > 3.3.3 Unidirectional after Negotiation (Diameter) .............. 10 > 4 Item-Level Compliance Evaluation ............................. 10 > 4.1 Meter Reliability (5.1) .................................... 10 > 4.2 Sampling (5.2) ............................................. 11 > 4.3 Overload Behaviour (5.3) ................................... 11 > 4.4 Information Model (6.1) .................................... 12 > 4.5 Data Model (6.2) ........................................... 12 > 4.5.1 Data Model Extensibility ................................. 12 > 4.5.2 Flexible Flow Record Definition .......................... 13 > 4.6 Data Transfer (6.3) ........................................ 13 > 4.6.1 Congestion Awareness (6.3.1) ............................. 13 > 4.6.2 Reliability (6.3.2) ...................................... 13 > 4.6.3 Security (6.3.2) ......................................... 14 > 4.6.3.1 IPSEC and TLS .......................................... 14 > 4.6.3.2 Application-level Security ............................. 14 > 4.6.4 Push and Pull Mode Reporting (6.4) ....................... 15 > 4.6.5 Regular Reporting Interval (6.5) ......................... 15 > 4.6.6 Notification on Specific Events (6.6) .................... 15 > 4.6.7 Anonymization (6.7) ...................................... 16 > 4.6.8 Several Collecting Processes (8.3) ....................... 16 > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 2] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > 5 Opinionated Conclusions ...................................... 16 > 6 Security Considerations ...................................... 18 > 7 References ................................................... 18 > 8 Author's Address ............................................. 19 > 9 Full Copyright Statement ..................................... 20 > > >1. Introduction > > The IP Flow Information Export (IPFIX) Working Group has been > chartered to select a protocol for the export of flow information > from traffic-observing devices (such as routers or dedicated probes). > To this end, an evaluation team was formed to evaluate submitted > protocols. Each protocol is represented by an advocate, who > submitted a specific evaluation draft for the respective protocol > against the requirements document [IPFIX-REQ]. The specification of > each protocol was itself available as one or several Internet-Drafts, > sometimes referring normatively to documents from outside the IETF. > > This document contains the author's personal evaluation of the > submitted protocols with respect to the requirements document, and on > a more general level, to the working group charter. It is intended > to serve as input for the deliberations of the evaluation team. > > The following IPFIX candidate protocol submissions were evaluated: > > - CRANE [CRANE], [CRANE-EVAL] > > - Diameter [DIAMETER], [DIAMETER-EVAL] > > - LFAP [LFAP], [LFAP-EVAL] > > - NetFlow v9 [NETFLOWV9], [NETFLOWV9-EVAL] > > - Streaming IPDR [IPDR], [IPDR-EVAL] > > This document uses terminology defined in [IPFIX-REQ] intermixed with > that from submissions to explain the mapping between the two. > >2. Protocol Summaries > > In the following, each candidate protocol is described briefly, > highlighting its specific distinguishing features. > >2.1. CRANE > > XACCT's Common Reliable Accounting for Network Element Protocol > Version 1.0 [CRANE] [CRANE-EVAL] is described as a protocol for the > transmission of accounting information from "Network Elements" to > "mediation" and "business support systems". > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 3] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >2.1.1. CRANE Protocol Operation > > The exporting side is the CRANE client, the collecting side the CRANE > server. Note that it is the server that is responsible for > initiating the connection to the client. A client can have multiple > simultaneous connections to different servers for robustness. Each > server has an associated priority. A client only exports to the > server with the highest priority that is perceived operational. > > Clients and servers exchange messages over a reliable protocol such > as TCP [TCP] or (preferably) SCTP [SCTP]. The protocol uses > application-layer acknowledgements as an indication of successful > processing by the server. Strong authentication or data > confidentiality aren't support by the protocol, but can be supported > by lower-layer mechanisms such as IPSEC [IPSEC] or TLS [TLS]. > > The protocol is bidirectional over the entire duration of a session. > There are 20 different message types. The protocol supports template > negotiation, not only at startup but also later on in a session, as > well as general status inquiries. There is a separate version > negotiation protocol defined over UDP. > >2.1.2. CRANE Data Encoding > > Data encoding is based on templates. Templates contain "keys" > representing items in data records. Clients (exporters) publish > templates to servers (collectors). Servers can then select the > subset of fields in a template that they are interested in. The > client will suppress keys that haven't been selected by the server. > > Data records contain references to template and configuration > instances. They also carry sequence numbers (DSNs for Data Sequence > Numbers). These sequence numbers can be used to de-duplicate data > records that have been delivered multiple times during failover/fail- > back in redundant configurations. A "duplicate" bit is set in these > situations as a hint for the de-duplication process. > > The encoding of (flow information) data records themselves is very > compact. The client (exporter) can choose to send data in big-endian > (network byte order) or little-endian format. There are eighteen > fixed-size key types, as well as five variable-length string and > binary data (BLOB) types. > >2.2. Diameter > > Diameter [DIAMETER] [DIAMETER-EVAL] is an evolution of the Remote > Authentication Dial In User Service (RADIUS) protocol [RADIUS]. > RADIUS is widely used to outsource authentication and authorization > in dialup access environments. Diameter is a generalized and > extensible protocol intended to support Authentication, Authorization > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 4] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > and Accounting (AAA) requirements of different applications. Dialup > and Mobile IPv4 are examples of such applications defined in the > IETF. > >2.2.1. Diameter Protocol Operation > > Diameter is a peer-to-peer protocol. The base protocol defines > fourteen command codes, organized as seven request/response command > pairs. Presumably, only a subset of these would be used in a pure > IPFIX application. Diameter includes capability negotiation and > error notifications. Diameter operates over TCP or (preferred) SCTP. > There is a framework for end-to-end security, the mechanisms for > which are defined in a separate document. IPSEC or TLS can be used > to provide authentication or encryption at the underlying layers. > >2.2.2. Diameter Data Encoding > > Diameter conveys data in the form of attribute/value pairs (AVPs). > An AVP consists of eight bytes of header plus the space to store the > data, which depends on the data format. There are numerous > predefined AVP data formats, including signed and unsigned integer > types, each in 32 and 64 bit variants, IPv4 and IPv6 addresses, as > well as others. The advocacy draft [DIAMETER-EVAL] suggests that the > predefined data formats IPFilterRule and/or QoSFilterRule could be > extended to represent IP Flow Information. Such rules are > represented as readable UTF-8 strings. Alternatively, new AVPs could > be defined to represent flow information. > >2.3. LFAP > > LFAP [LFAP] [LFAP-DATA] [LFAP-EVAL] started out as the "Lightweight > Flow Admission Protocol" and was used to outsource shortcut creation > decisions on flow-based routers, as well as to provide per-flow > statistics. Later versions removed the admission function and > changed the name to "Lightweight Flow Accounting Protocol" > >2.3.1. LFAP Protocol Operation > > The exporter in LFAP is called the Connection Control Entity (CCE), > and the collector is the Flow Accounting Server (FAS). These > entities communicate with each other over a TCP connection. LFAP > knows thirteen message types, including operations for connection > management, version negotiation, flow information messages and > administrative requests. Authentication and encryption can be > provided by IPSEC or TLS at lower layers. Additionally, the LFAP > protocol itself supports four levels of security using HMAC-MD5 > authentication and DES-CBC encryption. > > A distinguishing feature is that LFAP has two different message types > for flow information: A Flow Accounting Request (FAR) message is sent > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 5] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > when a new flow is identified at the CCE (meter/exporter). > Accounting information is sent later in one or multiple Flow Update > Notification (FUN) messages. A collector must match each FUN to a > Flow ID previously sent in a FAR. > > The LFAP document also defines a set of useful statistics about the > accounting process. A separate MIB document [LFAP-MIB] is provided > for management of LFAP entities using SNMP. > >2.3.2. LFAP Data Encoding > > LFAP encodes data in a Type/Length/Value format with four bytes of > overhead per data item (two bytes for the type and two bytes for the > length field). > >2.4. NetFlow v9 > > NetFlow v9 [NETFLOWV9] [NETFLOWV9-EVAL] is a generalized version of > Cisco's NetFlow protocol. Previous versions of NetFlow, in > particular version 5, have been widely implemented and used for the > exporting and collecting of IP flow information. > >2.4.1. NetFlow Protocol Operation > > NetFlow uses a very simple protocol, with the exporter sending > template, options, and data "FlowSets" to the collector. FlowSets > are sequences of data records of similar format. NetFlow is the only > one of the candidate protocols that has always worked over UDP [UDP]. > Because of the simple unidirectional nature of the protocol, it > should be relatively straightforward to add mappings to other > transport protocols such as SCTP or TCP. The current NetFlow v9 > draft fails to specify such a mapping, but the advocacy draft > suggests an SCTP transport to make NetFlow congestion-friendly. > >2.4.2. NetFlow Data Encoding > > NetFlow v9 uses a template facility to describe exported data. The > data itself is represented in a compact way using network byte order. > >2.5. Streaming IPDR > > Streaming IPDR [IPDR] [IPDR-EVAL] is an application of the Network > Data Management-Usage (NDM-U) For IP Services specification version > 3.1 [NDM-U-3.1]. It has been developed by the Internet Protocol > Detail Record Organization (IPDR, Inc. or ipdr.org). The terminology > used is similar to CRANE's, talking about Service Elements (SEs), > mediation systems and Business Support Systems (BSS). > > > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 6] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >2.5.1. Streaming IPDR Protocol Operation > > Streaming IPDR operates over TCP. There is a "Trivial TCP Delivery" > mode as well as an "Acknowledged TCP Delivery" or "Reliable > Streaming" mode. The latter uses application-layer acknowledgements > for increased reliability. > > The protocol is basically unidirectional. The exporter opens a > connection towards the collector, then sends a header followed by a > set of record descriptors. Then it can send "Usage Event" records > corresponding to these descriptors until the connection is > terminated. New record descriptors can be sent at any time. > Messages carry sequence numbers that are used for de-duplication > during failover. They are also referenced by application-level > acknowledgements when Reliable Streaming is used. > >2.5.2. Streaming IPDR Data Encoding > > IPDR uses an information modeling technique based on the XML-Schema > language [XML]. Data can be represented in XML or in a streamlined > encoding based on the External Data Representation [XDR]. XDR forms > the basis of Sun's Remote Procedure Call and Network File System > protocols, and has proven to be both space- and processing-efficient. > >3. Broad Classification of Candidate Protocols > > In order to evaluate the candidate protocols against the higher-level > requirements laid out in the IPFIX Working Group charter, it is > useful to group them into broader categories. > >3.1. Design Goals > > One way to look at the candidate protocols is to study the goals that > have directed their respective design. Note that the intention is > not to exclude protocols that have been designed with a different > class of applications in mind, but simply to better understand the > different tradeoffs that distinguish the protocols. > >3.1.1. High-Performance Flow Metering (NetFlow, LFAP) > > Of the candidate protocols, Cisco's NetFlow is the purest example of > a highly specialized protocol that has been designed with the sole > objective of conveying accounting data from flow-aware routers at > high rates. Starting from a fixed set of accounting fields, it has > been extended a few times over the years to support additional fields > and various types of aggregation in the metering/exporting process. > > Riverstone's LFAP is similarily focused, except that it originated in > a protocol to outsource the decision whether to create shortcuts in > flow-based routers. This is still manifest in an increased emphasis > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 7] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > on reliable operation, and in the split reporting of flow information > using Flow Accounting Request (FAR) and Flow Update Notification > (FUN) messages. > > It has been pointed out that split reporting as done by LFAP can > reduce memory requirements at the exporter. This concerns a subset > of attributes that are neither "key" attributes which define flows, > nor attributes such as packet or byte counters that must be updated > for each packet anyway. On the other hand, when there are many > short-lived flows, the number of flow export messages will be > significantly higher than with "unitary" flow export models, and the > collector will have to keep state about active flows until they are > terminated. > >3.1.2. Carrier-Grade Multi-Purpose Accounting (IPDR, CRANE) > > Streaming IPDR and CRANE describe themselves as protocols to > facilitate the reliable transfer of accounting information between > Network Elements (or more generally "Service Elements" in the case of > IPDR) and Mediation Systems or Business Support Systems (BSS). They > reflect a view of the accounting problem and of network system > architectures that originates in traditional "vertically integrated" > telecommunications. > > Both protocols also emphasize extensibility with the goal of > applicability to a wide range of accounting tasks. > > IPDR is based on NDM-U, which uses the XML-Schema language for > machine-readable specification of accounting data structures, while > using the efficient XDR encoding for the actual data transfer. > > CRANE uses templates to describe exported data. These templates are > negotiated between collector and exporter and can change during a > session. > >3.1.3. General-Purpose AAA (Diameter) > > Diameter is another example of a broader-purpose protocol, in that it > covers aspects of authentication and authorization as well as > accounting. This explains its strong emphasis on security and > reliability. The design also takes into account various types of > intermediate agents. > >3.2. Data Representation > > IPFIX is intended to be deployed, among others, in high-speed routers > and to be used for exporting detailed flow data at high flow rates. > Therefore it is useful to look at the tradeoffs between the > efficiency of data representation and the extensibility of data > models. The two main efficiency goals should be (1) to minimize the > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 8] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > export data rate and (2) to minimize data encoding overhead in the > exporter. The overhead of decoding flow data at the collector is > deemed less critical, and is partly covered by efficiency target (2), > since an encoding that is easy on the encoder is often also easy on > the decoder. > >3.2.1. Externally Described Encoding (CRANE, IPDR, NetFlow) > > The protcols in this group use an external mechanism to fully > describe the format in which flow data is encoded. The mechanisms > are "templates" in the case of CRANE and NetFlow, and a subset of the > XML-Schema language, or alternatively XDR IDL, for IPDR. > > A fully external data format description allows for very compact > encoding, with data components such as 32-bit integers taking up only > four octets. The XDR representation used in IPDR additionally > ensures that larger fields are always aligned on 32-bit boundaries, > which can reduce processing requirements at both the exporter and the > collector, at a slight cost of space (thus bandwidth) due to padding. > > Most protocols specify "network byte order" or "big-endian" format in > the export data format. CRANE is the only protocol where the > exporter may choose the byte ordering. The principal benefit is that > this lowers the processing demand on exporters based on little-endian > architectures. > >3.2.2. Partly Self-describing Encoding (Diameter, LFAP) > > Diameter and LFAP represent flow data using Type/Length/Value > encodings. While this makes it possible to partly decode flow data > without full context information - possibly useful for debugging - it > does increase the encoding size and thus the bandwidth requirements > both on the wire and in the exporter and collector. > > LFAP has a "multi-record" encoding which claims to provide similar > wire efficiency as the externally described encodings while still > supporting diagnostic tools. > >3.3. Protocol Flow > > Another criterion for classification is the flow of protocol messages > between exporter and collector. > >3.3.1. Mainly Unidirectional Protocols (IPDR, NetFlow) > > In IPDR and NetFlow, the data flow is essentially from exporter to > collector, with the collector only sending acknowledgements. The > protocols send data descriptions (templates) on session > establishment, and then start sending flow export data based on these > templates. "Meta-information" about the operational status of the > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 9] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > metering and exporting processes (for example about the sampling > parameters in force at a given moment) is conveyed using a special > type of "Option" template in NetFlow v9. IPDR currently doesn't have > definitions for such "meta-data" types, but they could easily be > defined outside the protocol proper. > >3.3.2. Bidirectional Protocols (CRANE, LFAP) > > CRANE allows for negotiation of the templates used for data export at > the start of a session, and also allows negotiated template updates > later on. CRANE sessions include an exporter and potentially several > collectors, so these negotiations can involve more than two parties. > > LFAP has an initial phase of version negotiation, followed by a phase > of "data negotiation". After these startup phases, the exporter > sends FAR and FUN messages to the collector. However, either party > may also send Administrative Request (AR) messages to the other, and > will normally receive Administrative Request Answers (ARA) in > response. Administrative Requests can be used for status inquiries, > including information about a specific active flow, or for > negotiation of the "Information Elements" that the collector wants > the exporter to export. > >3.3.3. Unidirectional after Negotiation (Diameter) > > Diameter has a general capabilities negotiation mechanism. The use > of Diameter for IPFIX hasn't been described in sufficient detail to > determine how capabilities negotiation would be used. After > negotiation, the protocol would operate in essentially unidirectional > mode, with Accounting-Request (ACR) messages flowing from the > exporter to the collector, and Accounting-Answer (ACA) messages > flowing back. > >4. Item-Level Compliance Evaluation > > The template for protocol advocates noted that not all requirements > in [IPFIX-REQ] apply directly to the flow export protocol. In > particular, sections 4 (Distinguishing Flows) and 5 (Metering > Process) mainly specify requirements on the metering mechanism that > "feeds" the exporter. However, in some cases they require > information about the metering process to be reported to collectors, > so the flow export protocol must support conveying this information. > >4.1. Meter Reliability (5.1) > > CRANE, Diameter, IPDR consider requirement 5.1 (reliability of the > metering process or indication of "missing reliability" out of scope > for the IPFIX protocol, which presumably means that they assume the > metering process to be reliable. > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 10] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > The NetFlow v9 advocacy draft takes a similar stance when it claims > "Total Compliance. The metering process is reliable." (although this > has been documented not to be true for all current Cisco > implementations of NetFlow v5). > > LFAP is the only protocol that explicitly addresses the possibility > that data might be lost in the metering process, and provides useful > statistics the collectors to estimate not just the amount of flow > data that was lost, but also the amount of data not unaccounted for. > > Note that in the general case, it can be considered unrealistic to > assume total reliability of a flow-based metering process in all > situations, unless sampling or coarse flow definitions are used. > With the fine-grained flow classification mechanisms mandated by > IPFIX, it is easy to imagine traffic where each - possibly very small > - packet would create a new flow. This kind of traffic is in fact > encountered in practice during aggressive port scans, and will > eventually lead to table overflows or exceeding of memory bandwidth > at the meter. > > While some of these situations can be handled by dropping data later > on in the exporter, data transfer, or collector, or by transitioning > the meter to sampling mode (or increasing the sampling interval), it > will sometimes be considered the lesser evil to simply report on the > data that couldn't be accounted for. Currently LFAP is the only > protocol that supports this. > >4.2. Sampling (5.2) > > CRANE and IPDR don't mention the possibility of sampling. This is > natural because they are targeted towards telco-grade accounting, > where sampling would be considered inadmissible. Since support for > sampling is a "MAY" requirement, its lack could be tolerated, but > severely restricts the applicability of these protocols in places of > high aggregation, where absolute precision is not necessary. This > includes applications such as traffic profiling, traffic engineering, > and large-scale attack/intrusion detection, but also usage-based > accounting applications where charging based on sampling is agreed > upon. > > The Diameter advocate acknowledges the existence of sampling and > suggests to define new (grouped) AVPs to carry information about the > sampling parameters in use. > > LFAP does not currently support sampling, although its advocate > contends that adding support for this would be relatively > straightforward, without going into too much detail. > > NetFlow v9 does support sampling (and many implementations and > deployments of sampled NetFlow exist for previous NetFlow versions). > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 11] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > Option Data is supposed to convey sampling configuration, although no > sampling-related field types have yet been defined in the draft. > >4.3. Overload Behaviour (5.3) > > The requirements document suggests that meters adapt to overload > situations, for example by changing to sampling (or reducing the > sampling rate if sampling is already in effect), by changing the flow > definition to coarser flow categories (thinning), by stopping to > meter, or by reducing packet processing. > > In these situations, the requirements document mandates that flow > information from before the modification of metering behavior can be > cleanly distinguished from flow information from after the > modification. For the suggested mitigation methods of sampling or > thinning, this essentially means that all existing flows have to be > expired, and an entirely new set of flows must be started. This is > undesirable because it causes a peak of resource usage in an already > overloaded situation. > > LFAP and NetFlow claim to handle this requirement, both by supporting > only the simple overload mitigation methods that don't require the > entire set of existing flows to be expired. The NetFlow advocate > claims that the reporting requirement could be easily met by expiring > existing flows with the old template, while sending a new template > for new flows. While it is true that NetFlow handles this > requirement in a very graceful manner, the general performance issue > remains. > > CRANE, Diameter, and IPDR consider the requirement out of scope for > the protocol, although Diameter summarily acknowledges the possible > need for new AVP definitions related to mitigation methods. > >4.4. Information Model (6.1) > > All candidate protocols have information models that can represent > all required and all optional attributes. The Diameter contribution > lacks some detail on how exactly the IPFIX-specific attributes should > be mapped. > >4.5. Data Model (6.2) > >4.5.1. Data Model Extensibility > > Each candidate protocol defines a data model that allows for some > degree of extensibility. > > CRANE uses Keys to specify fields in templates. A key "specification > MUST consist of the description and the data type of the accounting > item." Apparently extensibility is intended, but I'm not sure whether > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 12] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > adding a new Key really only involves writing a textual description > and deciding upon a base type. Every Key also has a 32-bit Key ID, > but from the current specification they don't seem to carry global > semantics. > > Diameter's Attribute/Value Pairs (AVP) have a 32-bit identifier (AVP > Code) administered by IANA. In addition, there is an optional 32-bit > Vendor-ID that can contain an SMI Enterprise Number for vendor- > defined attributes. If the Vendor-ID (and a corresponding flag in > the attribute) is set, the AVP Code becomes local to that vendor. > > IPDR uses a subset of the XML-Schema language for extensibility, thus > allowing for vendor- and application-specific extensions of the data > model. > > In LFAP, flow attributes are defined as Information Elements. There > is a 16-bit IE type code (which is carried in the export protocol for > every IE). One type code is reserved for vendor-specific extensions. > Arbitrary sub-types of the vendor-specific IE can be defined using > ASN.1 Object IDs (OIDs). > > In NetFlow v9 as reviewed, data items are identified by a sixteen-bit > field type. 26 field types are defined in the draft. The draft > suggests to look check a Web page at Cisco Systems' site for the > current list of field types. It would be preferable if the > administration of the field type space would be delegated to IANA. > >4.5.2. Flexible Flow Record Definition > > All protocols allow for flexible flow record definitions. CRANE and > LFAP make the selection/negotiation of the attributes to be included > in flow records a part of the protocol, the other protocols leave > this to outside configuration mechanisms. > >4.6. Data Transfer (6.3) > >4.6.1. Congestion Awareness (6.3.1) > > All protocols except for NetFlow v9 operate over a single TCP or SCTP > transport connection, and inherit the congestion-friendliness of > these protcols. > > NetFlow v9 has been defined to operate over UDP, but claims to be > transport-independent and could also be mapped on SCTP or TCP as a > transport protocol. The details of such mappings haven't been > specified, although doing so should have been straightforward given > the unidirectional nature of this protocol. > > > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 13] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >4.6.2. Reliability (6.3.2) > > As of the time of this writing, the reliability requirement hasn't > yet been satisfactorily defined in the requirements draft. Here are > a few observations regarding the candidate protocols' approaches to > reliability. Note that the requirement for multiple collectors (8.3) > also touches on the issue of reliability. > > CRANE, Diameter, and IPDR, as protocols that strive to be carrier- > grade accounting protocols, understandably exhibit a strong emphasis > on near-total reliability of the flow export process. All three > protocols use application-level acknowledgements (in case of IPDR, > optionally) to include the entire collection process in the feedback > loop. Indications of "lack of reliability" (lost flow data) are > somewhat unnatural to these protocols, because they take every effort > to never lose anything. These protocols seem suitable in situations > where one would rather drop a packet than forward it unaccounted for. > > LFAP has application-level acknowledgements, and it also reports > detailed statistics about lost flows and the amount of data that > couldn't be accounted for. It represents a middle ground in that it > acknowledges that accounting reliability will sometimes be sacrificed > for the benefit of other tasks, such as switching packets, and > provides the tools to gracefully deal with such situations. > > NetFlow v9 is the only protocol for which the use of a "reliable" > transport protocol is optional, and the only protocol that doesn't > support application-level acknowledgements. In all fairness, it > should be noted that it is a very simple and efficient protocol, so > in an actual deployment it might exhibit a higher level of > reliability than some of the other protocols would given the same > amount of resources. > >4.6.3. Security (6.3.2) > >4.6.3.1. IPSEC and TLS > > All protocols can use, and their descriptions in fact recommend to > use, lower-layer security mechanisms such as IPSEC and, with the > exception of NetFlow v9 over UDP, TLS. It can be argued that in all > envisioned usage scenarios for IPFIX, both IPSEC and TLS provide > sufficient protection against the main identified threats of flow > data disclosure and forgery. > > The Diameter draft is the only protocol definition that goes into > sufficent level of detail with respect to the application of these > mechanisms, in particular the negotiation of certificates and ciphers > in TLS, and the use of IKE [IKE] for IPSEC. Diameter also mandates > that either IPSEC or TLS be used. > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 14] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >4.6.3.2. Application-level Security > > Diameter suggests an additional end-to-end security framework for > dealing with untrusted third-party agents. I am not entirely > convinced that this additional evel of security justifies the > additional complexity in the context of IPFIX. > > LFAP [LFAP] is the only other protocol that includes some higher- > level security mechanisms, providing four levels of security > including no security, authenticated peers, flow data authentication, > and flow data encryption using HMAC-MD5-96 and DES-CBC. > > As far as I can judge - not being a security expert -, LFAP's built- > in support for authentication and encryption doesn't provide > significant additional security compared with the use of TLS or > IPSEC. It is potentially useful in situations where TLS or IPSEC are > unavailable for some reason, although in the context of IPFIX > scenarios it should be possible to assume support for these lower- > layer mechanisms if the participating devices are capable of the > necessary cryptographic methods at all. > >4.6.4. Push and Pull Mode Reporting (6.4) > > All protocols support the mandatory "push" mode. > > The optional "pull" mode could be supported relatively easily in > Diameter, and is foreseen in NDM-U, the basis of the Streaming IPDR > proposal. CRANE, LFAP and NetFlow don't have a "pull" mode. For > CRANE and LFAP, adding one would not violate the spirit of the > protocols because they are already two-way, and in fact LFAP already > foresees inquiries about specific active flows using Administrative > Request (AR) messages with a RETURN_INDICATED_FLOWS Command Code IE. > >4.6.5. Regular Reporting Interval (6.5) > > It is not clear whether this ("SHOULD") requirement applies to the > protocol or merely to the configurability of reporting/timeout > parameters in the export process. > >4.6.6. Notification on Specific Events (6.6) > > The specific events listed in the requirements documents as examples > for "specific events" are "the arrival of the first packet of a new > flow and the termination of a flow after flow timeout". For the > former, only LFAP explicitly generates messages upon creation of a > new flow. NetFlow always exported flow information on expiry of > flows, either due to timeout or due to an indication of flow > termination. The other protocols are unspecific about when flow > information is exported. > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 15] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > On "specific events" in general, all protocols have some mechanism > that could be used for notification of asynchronous events. An > example for such an event would be that the sampling rate of the > meter was changed in response to a change in the load on the > exporting process. > > CRANE has Status Request/Status Response messages, but as defined, > Status Requests can only be issued by the server (collector), so they > cannot be used by the server to signal asynchronous events. As in > IPDR, this could be circumvented by defining templates for meta- > information. > > Diameter could use special Accounting-Request messages for event > notification. > > IPDR would presumably define pseudo-"Usage Events" using an XML > Schema so that events can be reported along with usage data. > > LFAP has Administrative Requests (AR) that can be initiated from > either side. The currently defined ARs are all information inquiries > or reconfiguration requests, but new ARs could be defined to provide > unsolicited information about specific asynchronous events. The LFAP > MIB also defines some traps/notifications. SNMP notifications are > useful to signal events to a network management system, but they are > less attractive as a mechanism to signal events that should be > somehow handled by a collector. > > In NetFlow v9, Option Data FlowSets are defined to convey information > about the metering and export processes. The current draft specifies > that Option Data should be exported periodically, although this > requirement will be relaxed for asynchronous events. It should be > noted that periodical export of option flowsets (and also of > templates) may have been considered necessary because NetFlow can run > over an unreliable transport; it seems less natural when TCP or SCTP > is used. > >4.6.7. Anonymization (6.7) > > None of the protocols include explicit support for anonymization. > All protocols could be extended to convey when and how anonymization > is being performed by an exporter, using mechanisms similar to those > that would be used to report on sampling. However it can be argued > that anonymization it more "static" in the sense that it will be > either configured at the exporter or not, and that the collector can > be made aware of this by means outside the IPFIX protocol. > >4.6.8. Several Collecting Processes (8.3) > > CRANE, Diameter, and IPDR all support multiple collectors in a backup > configuration. The failover case is analyzed in some detail, with > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 16] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > support for data buffering and de-duplication in failover situations. > > NetFlow takes a more simple-minded approach in that it allows > multiple (currently: two) collectors to be configured in an exporter. > Both collectors will generally receive all data and could use > sequence numbers and inter-collector communication to de-duplicate > them. This is a simple way to improve availability but may also be > considered to be wasteful, both in terms of bandwidth and in terms of > other exporter resources. With the current UDP mapping it is easy > enough to send multiple copies of datagrams to different collectors, > but when SCTP or TCP is used, sending all data over multiple > connections will exacerbate performance issues. > > I don't entirely understand how failover is handled in LFAP, where > flow information is separated into FAR and FUN messages. In > particular, when the primary FAS A fails and the CCE starts sending > to secondary FAS B, will it send B FUNs that refer to Flow IDs whose > FARs had only been sent to A? > >5. Security Considerations > > The security mechanisms of the candidate protocols were discussed in > the section about the Security requirement (6.3.2). > >6. Acknowledgements > > A draft of this document had been circulated on the ipfix-eval > mailing list, and several participants provided valuable feedback, > including Vamsidhar Valluri, Paul Calato, Tal Givoly, Jeff Meyer, > Robert Lowe, Benoit Claise, and Carter Bullard. Many of these issues > have been discussed with the other members of the IPFIX evaluation > team: Juergen Quittek, Reinaldo Penno, Ram Gopal, and Mark Fullmer. > However, this draft doesn't claim to represent team consensus, just > the views of its author. > >7. References > >[IPFIX-REQ] J. Quittek et al., "Requirements for IP Flow Information > Export", draft-ietf-ipfix-reqs-06.txt, work in progress, > September 2002. > >[CRANE] K. Zhang, E. Elkin, "XACCT's Common Reliable Accounting for > Network Element (CRANE) Protocol Specification Version 1.0", > draft-kzhang-crane-protocol-05.txt, work in progress, August > 2002. > >[CRANE-EVAL] > K. Zhang, E. Elkin, P. Ludemann, "Evaluation of the CRANE > Protocol Against IPFIX Requirements", draft-kzhang-ipfix- > eval-CRANE-00.txt, work in progress, September 2002. > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 17] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >[DIAMETER] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, J. Arkko, > "Diameter Base Protocol", draft-ietf-aaa-diameter-12.txt, > work in progress, July 2002. > >[DIAMETER-EVAL] > S. Zander, "Evaluation of the Diameter Protocol Against > IPFIX Requirements", draft-zander-ipfix-eval- > diameter-00.txt, work in progress, September 2002. > >[LFAP] P. Calato, M. MacFaden, "Light-weight Flow Accounting > Protocol Specification Version 5.0", draft-riverstone- > lfap-01.txt, work in progress, June 2002. > >[LFAP-DATA] P. Calato, M. MacFaden, "Light-weight Flow Accounting > Protocol Data Definition Specification Version 5.0", draft- > riverstone-lfap-data-01.txt, work in progress, June 2002. > >[LFAP-EVAL] P. Calato, "Evaluation of Protocol LFAP Against IPFIX > Requirements", draft-calato-ipfix-lfap-eval-05.txt, work in > progress, August 2002. > >[LFAP-MIB] P. Calato, M. MacFaden, "Light-weight Flow Accounting > Protocol MIB", draft-calato-lfap-mib-00.txt, work in > progress, September 2002. > >[NETFLOWV9] B. Claise, "Cisco Systems NetFlow services Export Version > 9", draft-bclaise-netflow-9-01.txt, work in progress, > October 2002. > >[NETFLOWV9-EVAL] > B. Claise, "Evaluation Of NetFlow Version 9 Against IPFIX > Requirements", draft-claise-ipfix-eval-netflow-02.txt, work > in progress, October 2002. > >[IPDR] J. Meyer, "Reliable Streaming Internet Protocol Detail > Records", draft-meyer-ipdr-streaming-00.txt, work in > progress, August 2002. > >[IPDR-EVAL] J. Meyer, "Evaluation Of Streaming IPDR Against IPFIX > Requirements", draft-meyer-ipfix-IPDR-eval-00.txt, work in > progress, September 2002. > >[NDM-U-3.1] Internet Protocol Detail Record Organization, "Network Data > Management - Usage (NDM-U) For IP-Based Services Version > 3.1", April 2002. > >[IPSEC] S. Kent, et al. "Security Architecture for the Internet > Protocol", RFC 2401, November 1998. > > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 18] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > >[IKE] D. Harkins, D. Carrel, "The Internet Key Exchange (IKE)", > RFC 2409, November 1998. > >[TLS] T. Dierks, et al. "The TLS Protocol, Version 1.0", RFC 2246, > January 1999. > >[RADIUS] C. Rigney, A. Rubens, W. Simpson, S. Willens, "Remote > Authentication Dial In User Service (RADIUS)", RFC 2865, > June 2000. > >[TCP] J. Postel, "Transmission Control Protocol", RFC 793, January > 1981. > >[UDP] J. Postel, "User Datagram Protocol" RFC 768, August 1980. > >[SCTP] R. Stewart et al., "Stream Control Transmission Protocol", > RFC 2960. October 2000. > >[XML] World Wide Web Consortium, "Extensible Markup Language (XML) > 1.0", W3C XML, February 1998. > >[XDR] R. Srinivasan, "XDR: External Data Representation Standard", > RFC 1832, August 1995. > >8. Author's Address > > Simon Leinen <simon@limmat.switch.ch> > SWITCH > Limmatquai 138 > P.O. Box > 8021 Zurich > Switzerland > phone: +41 1 268 1530 > > >9. Full Copyright Statement > > Copyright (C) The Internet Society (2002). All Rights Reserved. > > This document and translations of it may be copied and furnished to > others, and derivative works that comment on or otherwise explain it > or assist in its implementation may be prepared, copied, published > and distributed, in whole or in part, without restriction of any > kind, provided that the above copyright notice and this paragraph are > included on all such copies and derivative works. However, this > document itself may not be modified in any way, such as by removing > the copyright notice or references to the Internet Society or other > Internet organizations, except as needed for the purpose of > developing Internet standards in which case the procedures for > copyrights defined in the Internet Standards process must be > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 19] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > followed, or as required to translate it into languages other than > English. > > The limited permissions granted above are perpetual and will not be > revoked by the Internet Society or its successors or assigns. > > This document and the information contained herein is provided on an > "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING > TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING > BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION > HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF > MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >Simon Leinen draft-leinen-ipfix-eval-contrib-00.txt [Page 20] > >Internet-Draft Individual IPFIX Protocol Evaluation October 2002 > > > > -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/