Re: [ipfix-req] Content Based Sampling
Mark Fullmer <maf@eng.oar.net> Fri, 21 March 2003 18:56 UTC
Received: from mil.doit.wisc.edu (mil.doit.wisc.edu [128.104.31.31]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA22536 for <ipfix-archive@lists.ietf.org>; Fri, 21 Mar 2003 13:56:51 -0500 (EST)
Received: from majordomo by mil.doit.wisc.edu with local (Exim 3.13 #1) id 18wRSl-0004lx-00 for ipfix-list@mil.doit.wisc.edu; Fri, 21 Mar 2003 12:41:55 -0600
Received: from eng4.oar.net ([192.148.244.24]) by mil.doit.wisc.edu with smtp (Exim 3.13 #1) id 18wRSi-0004kK-00 for ipfix-req@net.doit.wisc.edu; Fri, 21 Mar 2003 12:41:52 -0600
Received: (qmail 16134 invoked by uid 4454); 21 Mar 2003 18:40:57 -0000
Date: Fri, 21 Mar 2003 13:40:57 -0500
From: Mark Fullmer <maf@eng.oar.net>
To: Mark Thibodeau <mark.thibodeau@alcatel.com>
Cc: Tanja Zseby <zseby@fokus.fraunhofer.de>, ipfix-req@net.doit.wisc.edu
Subject: Re: [ipfix-req] Content Based Sampling
Message-ID: <20030321134057.A16110@net.ohio-state.edu>
References: <3E5B9DF0.33FB8BAA@alcatel.com> <3E789C2F.9020609@fokus.fraunhofer.de> <20030319223115.A8515@net.ohio-state.edu> <3E79CC3E.C3DF158A@alcatel.com> <20030321130842.A15893@net.ohio-state.edu> <3E7B567D.78504723@alcatel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Mailer: Mutt 1.0i
In-Reply-To: <3E7B567D.78504723@alcatel.com>; from mark.thibodeau@alcatel.com on Fri, Mar 21, 2003 at 01:14:21PM -0500
Precedence: bulk
Sender: majordomo listserver <majordomo@mil.doit.wisc.edu>
NetFlow v9 is available from Cisco. It's common practice to use SNMP with NetFlow to query "other" information, for example to get the ifName or ifAlias for an input/output interface. Another example is to use BGP to get community and AS path information. mark On Fri, Mar 21, 2003 at 01:14:21PM -0500, Mark Thibodeau wrote: > Are you aware of any router or probe that is currently doing something like this? > > Thanks, > Mark > > Mark Fullmer wrote: > > > Yes. The template ID's have no meaning though, ie you can't tie a template > > ID back to a configuration on the exporter, where the configuration might > > include ACL's, sampling, or other attributes. > > > > All that's required is having a template id or name. Then some other > > method (SNMP, etc) can be used to query the exporter for the other > > attributes, for example the filter/access-list applied to the metering > > process used by the template. > > > > Exporting other attributes such as access lists, or even ifNames that are > > available in other ways (ie SNMP) is not a road we should go down. > > > > mark > > > > On Thu, Mar 20, 2003 at 09:12:14AM -0500, Mark Thibodeau wrote: > > > Hi Mark, > > > > > > Are you referring to Cisco-style templates? In Cisco's v9 format, there is the capability > > > for up to 64k templates. However, on a line card there may be many more ACL rules (or > > > filters). It may not be possible to have a one-to-one mapping between ACL rule and Netflow > > > template. Or, did you have some other scheme in mind? > > > > > > If communicating the filter rule is required, I agree with Tanja. Some how the rule will > > > need to be encoded in the exported packet. It could be that we just send a Rule ID. But, > > > I'm not sure how the collector will be able to retrieve the ACL rule by using the exported > > > RuleID. > > > > > > Now I'm wondering......why does the collector need to know which filter rule was used? What > > > application will it use this information for? If a user wants to know if an ACL filter is > > > being hit, they can normally look at the ACL statistics on the node. I don't see any > > > benefit of communicating this information to the collector. Do you? > > > > > > Thanks, > > > Mark > > > > > > > > > Mark Fullmer wrote: > > > > > > > I really doubt this group is going to come up with a definition for > > > > "ACL" that will get group consensus, let alone encoding it in a > > > > packet. > > > > > > > > A reasonable alternative, IMHO is to have named templates (ie > > > > "tcp-port-flows", where the name is user selectable on the > > > > exporter. > > > > > > > > mark > > > > > > > > On Wed, Mar 19, 2003 at 05:34:55PM +0100, Tanja Zseby wrote: > > > > > Hi Mark, > > > > > > > > > > content-based sampling refers to packet selection functions that take > > > > > the packet content into account. So actually it is some form of > > > > > filtering. It can also be hash-based sampling where the intention is to > > > > > achieve some pseudo random selection. > > > > > Maybe you can have a look at the psamp packet selection draft > > > > > draft-ietf-psamp-sample-tech-01.txt. There we made a first attempt to > > > > > categorize the schemes. Combined schemes (as you explained) are > > > > > explicitely allowed. > > > > > In my opinion you would need to export both, the filter rule and the > > > > > sampling scheme. > > > > > > > > > > Regards, > > > > > Tanja > > > > > > > > > > > > > > > Mark Thibodeau wrote: > > > > > > > > > > >Hi, > > > > > > > > > > > >I have some questions about the requirements for sampling. From > > > > > >requirements 8: > > > > > > > > > > > >.... > > > > > >5.2. Sampling > > > > > > > > > > > >... > > > > > > selection of one packet can for instance be triggered by its arrival > > > > > > time (time-based sampling), by its position in the flow (count-based > > > > > > sampling) or by the packet content (content-based sampling). > > > > > >.... > > > > > > > > > > > >What is meant by "content-based sampling"? Is this basically ACL > > > > > >filtering that tells you whether or not to monitor a flow? > > > > > > > > > > > >If it refers to ACL filtering, then I have some more questions. > > > > > > > > > > > >.... > > > > > >6.1. Information Model > > > > > >.... > > > > > > > > > > > > 14. if sampling is used: sampling configuration > > > > > >.... > > > > > > > > > > > >If we are using content-based sampling, what information do we want > > > > > >exported with the flow? Is it basically an ACL rule identifier? Or do > > > > > >we want to export the entire ACL rule itself? > > > > > > > > > > > >If we need to export a rule identifier or something like that, then > > > > > >there is another situation which presents itself. > > > > > > > > > > > >Let's say there are multiple rules which can cause packets to be > > > > > >monitored. If we are also doing aggregation, there is the potential for > > > > > >2 or more ACL rules to all point to the same flow record. When this > > > > > >flow record is exported, which rule identifier should it give? > > > > > > > > > > > >There is also another situation. An implementation could support > > > > > >simultaneously ACL filtering and packet sampling. For instance, only > > > > > >the flows that match a certain ACL rule will be monitored. However, > > > > > >only every 100th packet is sampled. If this combination is supported, > > > > > >what is the sampling configuration that is exported? Should we export > > > > > >the rule identifier as well as the sampling rate? > > > > > > > > > > > >Thanks, > > > > > >Mark > > > > > > > > > > > >-- > > > > > > > > > > > >**************************************************** > > > > > >* Mark Thibodeau, P Eng. > > > > > >* 670 RSP Development - Firmware Designer > > > > > >* Alcatel CID - (613) 784-5375 > > > > > >* Fax - (613) 599-3696 > > > > > >* mark.thibodeau@alcatel.com > > > > > >**************************************************** > > > > > > > > > > > > > > > > > > > > > > > >-- > > > > > >Help mailto:majordomo@net.doit.wisc.edu and say "help" in > > > > > message body > > > > > >Unsubscribe mailto:majordomo@net.doit.wisc.edu and say > > > > > >"unsubscribe ipfix" in message body > > > > > >Archive http://ipfix.doit.wisc.edu/archive/ > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Dipl.-Ing. Tanja Zseby > > > > > Fraunhofer Institute FOKUS Email: zseby@fokus.fraunhofer.de > > > > > Kaiserin-Augusta-Allee 31 Phone: +49-30-3463-7153 > > > > > D-10589 Berlin, Germany Fax: +49-30-3463-8153 > > > > > -------------------------------------------------------------------------------------- > > > > > > > > > > "Living on earth is expensive but it includes a free trip around the > > > > > sun." (Anonymous) > > > > > -------------------------------------------------------------------------------------- > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body > > > > > Unsubscribe mailto:majordomo@net.doit.wisc.edu and say > > > > > "unsubscribe ipfix" in message body > > > > > Archive http://ipfix.doit.wisc.edu/archive/ > > > > > > > > -- > > > > Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body > > > > Unsubscribe mailto:majordomo@net.doit.wisc.edu and say > > > > "unsubscribe ipfix" in message body > > > > Archive http://ipfix.doit.wisc.edu/archive/ > > > > > > -- > > > > > > **************************************************** > > > * Mark Thibodeau, P Eng. > > > * 670 RSP Development - Firmware Designer > > > * Alcatel CID - (613) 784-5375 > > > * Fax - (613) 599-3696 > > > * mark.thibodeau@alcatel.com > > > **************************************************** > > > > > > > > > > > > -- > > > Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body > > > Unsubscribe mailto:majordomo@net.doit.wisc.edu and say > > > "unsubscribe ipfix" in message body > > > Archive http://ipfix.doit.wisc.edu/archive/ > > -- > > **************************************************** > * Mark Thibodeau, P Eng. > * 670 RSP Development - Firmware Designer > * Alcatel CID - (613) 784-5375 > * Fax - (613) 599-3696 > * mark.thibodeau@alcatel.com > **************************************************** > -- Help mailto:majordomo@net.doit.wisc.edu and say "help" in message body Unsubscribe mailto:majordomo@net.doit.wisc.edu and say "unsubscribe ipfix" in message body Archive http://ipfix.doit.wisc.edu/archive/
- [ipfix-req] Content Based Sampling Mark Thibodeau
- Re: [ipfix-req] Content Based Sampling Tanja Zseby
- Re: [ipfix-req] Content Based Sampling Mark Fullmer
- Re: [ipfix-req] Content Based Sampling Mark Thibodeau
- Re: [ipfix-req] Content Based Sampling Mark Fullmer
- Re: [ipfix-req] Content Based Sampling Mark Thibodeau
- Re: [ipfix-req] Content Based Sampling Mark Fullmer
- Re: [ipfix-req] Content Based Sampling Mark Thibodeau