Re: [IPFIX] NetFlow v9 to IPFIX conversion
Paul Aitken <paitken@brocade.com> Thu, 26 March 2015 08:44 UTC
Return-Path: <paitken@Brocade.com>
X-Original-To: ipfix@ietfa.amsl.com
Delivered-To: ipfix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AC021AC413 for <ipfix@ietfa.amsl.com>; Thu, 26 Mar 2015 01:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzdMNYAE133l for <ipfix@ietfa.amsl.com>; Thu, 26 Mar 2015 01:44:07 -0700 (PDT)
Received: from mx0b-000f0801.pphosted.com (mx0b-000f0801.pphosted.com [67.231.152.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD531A912A for <ipfix@ietf.org>; Thu, 26 Mar 2015 01:44:07 -0700 (PDT)
Received: from pps.filterd (m0000700.ppops.net [127.0.0.1]) by mx0b-000f0801.pphosted.com (8.14.7/8.14.7) with SMTP id t2Q8VjrM019304; Thu, 26 Mar 2015 01:43:59 -0700
Received: from brmwp-exchub01.corp.brocade.com ([208.47.132.227]) by mx0b-000f0801.pphosted.com with ESMTP id 1tc3ev17w2-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 26 Mar 2015 01:43:59 -0700
Received: from BRMWP-EXMB11.corp.brocade.com (172.16.59.77) by BRMWP-EXCHUB01.corp.brocade.com (172.16.186.99) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 26 Mar 2015 02:43:58 -0600
Received: from EMEAWP-CASH01.corp.brocade.com (172.29.18.10) by BRMWP-EXMB11.corp.brocade.com (172.16.59.77) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Thu, 26 Mar 2015 02:43:57 -0600
Received: from [172.29.21.131] (172.29.21.131) by imapeu.brocade.com (172.29.18.15) with Microsoft SMTP Server (TLS) id 8.3.298.1; Thu, 26 Mar 2015 09:43:56 +0100
Message-ID: <5513C6CB.1040001@brocade.com>
Date: Thu, 26 Mar 2015 08:43:55 +0000
From: Paul Aitken <paitken@brocade.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0
MIME-Version: 1.0
To: Petr Velan <petr.velan@cesnet.cz>, Andrew Feren <andrewf@plixer.com>
References: <CALbOe5O0e3tw--vCrj9FkFWVvoMAb9iZaXyRYqfNFSSqQUT94w@mail.gmail.com> <54AC4097.1050602@plixer.com> <CALbOe5M8VtTLANGZDUG=bQH-z6eKLK7ckTPTUY0AueX_ioUs1Q@mail.gmail.com>
In-Reply-To: <CALbOe5M8VtTLANGZDUG=bQH-z6eKLK7ckTPTUY0AueX_ioUs1Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090609010209050008010700"
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.13.68, 1.0.33, 0.0.0000 definitions=2015-03-26_02:2015-03-25,2015-03-26,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1503260089
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipfix/vWmBozHmCJyVvRor5r23g6VMXDE>
Cc: joelja@bogus.com, "ipfix@ietf.org" <ipfix@ietf.org>
Subject: Re: [IPFIX] NetFlow v9 to IPFIX conversion
X-BeenThere: ipfix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFIX WG discussion list <ipfix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipfix>, <mailto:ipfix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipfix/>
List-Post: <mailto:ipfix@ietf.org>
List-Help: <mailto:ipfix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipfix>, <mailto:ipfix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 08:44:09 -0000
Petr, You should write an RFC (well, start with a draft) which explains the proposal and requests the PEN from IANA. Since the IPFIX WG is now closed, such a draft must be AD sponsored by Joel. P. On 26/03/15 07:14, Petr Velan wrote: > Hi Andrew, all, > > thank you for your explanation regarding nprobe. > > However, we also need a fallback for unknown exporters with IEs > > 2^15. The generic requests for PENs need organization name, contact > name and email address. I can try to request the PEN for NetFlow v9 > compatibility myself, but I'd like it to be more public. Therefore, I > suggest to complete the request with something like: > *Organization Name*: NetFlow v9 to IPFIX > *Contact Name*: IPFIX WG > *Contact E-Mail: *ipfix@ietf.org <mailto:ipfix@ietf.org> > > This is just a first proposal to get things moving, please add your > thoughts. Once the PEN is granted, we can move forward and explain its > purpose in a short RFC. > > Petr > > On Tue, Jan 6, 2015 at 9:07 PM, Andrew Feren <andrewf@plixer.com > <mailto:andrewf@plixer.com>> wrote: > > Hi Petr, > > On 01/06/2015 07:03 AM, Petr Velan wrote: >> Hello all, >> >> I'm not sure whether this is the right place to ask, but we >> encountered following problem when converting NetFlow v9 messages >> to IPFIX. >> >> Some vendors (I've heard of ntop) are using elements IDs large >> than 32767 in NetFlow v9. When converting messages with these >> elements to IPFIX, they are considered to be Enterprise Numbers. >> To generate proper IPFIX message, we need to do one of the following: >> a) Generate a list of the elements and map them to PEN of the >> correct vendor. However, this would result in an attempt to cover >> all possible elements that anybody used in NetFlow v9. Moreover, >> we would still have to somehow handle the cases where the element >> is unknown > This should help with ntop/nprobe > > Recent versions of nprobe (since version 5.5.5 I think) all use > the following mapping. > > PEN = 35632 and IPFIXID = (v9ID - 57472) > > For example, one v9 IE that nprobe exports is MYSQL_SERVER_VERSION > 57667. The IPFIX equivalent would be > MYSQL_SERVER_VERSION(35632/195). > > The nprobe docs have a complete list. > > Older versions of nprobe (pre ~2010) use IEs not in RFC 3954, but > later allocated in IANA. There is no good way to convert those v9 > exports to IPFIX. > > -Andrew > > >> b) Request a PEN for NetFlow compatibility and just add this PEN >> for every element that has ID larger than 32767. >> >> Personally, I believe that the b) is more general and >> error-prone. Do you think, that it would be possible to dedicate >> whole PEN to this cause? >> >> Thank you for any opinions, >> >> Petr Velan >> >> >> >> _______________________________________________ >> IPFIX mailing list >> IPFIX@ietf.org <mailto:IPFIX@ietf.org> >> https://www.ietf.org/mailman/listinfo/ipfix > >
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Gerhard Muenz
- [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Brian Trammell
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Brian Trammell
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Andrew Feren
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Andrew Feren
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Petr Velan
- Re: [IPFIX] NetFlow v9 to IPFIX conversion Paul Aitken