[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 RFC 6183

IPFIX Working Group                                         A. Kobayashi
Internet-Draft                                                H. Nishida
Intended status: Informational                               NTT PF Lab.
Expires: August 15, 2009                                       B. Claise
                                                           Cisco Systems
                                                       February 11, 2009


                       IPFIX Mediation: Framework
                draft-ietf-ipfix-mediators-framework-02

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on August 15, 2009.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.






Kobayashi, et al.        Expires August 15, 2009                [Page 1]

Internet-Draft          IPFIX Mediation Framework          February 2009


Abstract

   This document describes a framework for IPFIX Mediation.  This
   framework details the IPFIX Mediation reference model and the
   components of an IPFIX Mediator.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology and Definition . . . . . . . . . . . . . . . . . .  4
   3.  IPFIX/PSAMP Documents Overview . . . . . . . . . . . . . . . .  6
     3.1.  IPFIX Documents Overview . . . . . . . . . . . . . . . . .  6
     3.2.  PSAMP Documents Overview . . . . . . . . . . . . . . . . .  6
   4.  IPFIX Mediation Reference Model  . . . . . . . . . . . . . . .  7
   5.  IPFIX Mediation Functional and Logical Blocks  . . . . . . . . 10
     5.1.  Collecting Process . . . . . . . . . . . . . . . . . . . . 10
     5.2.  Exporting Process  . . . . . . . . . . . . . . . . . . . . 10
     5.3.  Intermediate Process . . . . . . . . . . . . . . . . . . . 10
       5.3.1.  Selection Function . . . . . . . . . . . . . . . . . . 10
       5.3.2.  Aggregation Function . . . . . . . . . . . . . . . . . 12
       5.3.3.  Correlation Function . . . . . . . . . . . . . . . . . 13
       5.3.4.  Modification Function  . . . . . . . . . . . . . . . . 14
     5.4.  IPFIX File Writer/Reader . . . . . . . . . . . . . . . . . 15
     5.5.  Flow Expiration  . . . . . . . . . . . . . . . . . . . . . 16
     5.6.  Information Model  . . . . . . . . . . . . . . . . . . . . 17
     5.7.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . 17
   6.  Security Considerations  . . . . . . . . . . . . . . . . . . . 19
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 20
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 21
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 22
   Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 23
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24

















Kobayashi, et al.        Expires August 15, 2009                [Page 2]

Internet-Draft          IPFIX Mediation Framework          February 2009


1.  Introduction

   IPFIX Mediation has two classes of mediation: context mediation for
   traffic data and transport mediation for transport protocols that do
   not affect content.  Context mediation aggregates, correlates,
   filters, or modifies Data Records.  Transport mediation changes the
   transport protocol that carries IPFIX Messages.  This document
   describes the framework for IPFIX Mediation.  The motivation for the
   IPFIX Mediation standard comes from the need for functional blocks
   supporting IP traffic growth, multifaceted traffic measurement, and a
   heterogeneous environment, as described in detail in
   [I-D.ietf-ipfix-mediator-ps].  The standard specification requires a
   definition of IPFIX Mediation and IPFIX Mediator.

   This document is organized as follows.  Section 2 defines terminology
   related to IPFIX Mediation.  Section 3 describes a high level
   reference model.  Section 4 details the components of the IPFIX
   Mediator.

































Kobayashi, et al.        Expires August 15, 2009                [Page 3]

Internet-Draft          IPFIX Mediation Framework          February 2009


2.  Terminology and Definition

   The terms in this section are in line with those in the IPFIX
   Protocol specifications [RFC5101] and the PSAMP specification
   document [I-D.ietf-psamp-protocol].  The terms Observation Point,
   Observation Domain, Flow Key, Flow Record, Exporting Process,
   Exporter, IPFIX Device, Collecting Process, Collector, IPFIX Message,
   Metering Process, and Information Element are defined in the IPFIX
   protocol specifications [RFC5101], the term Packet Report is defined
   in the PSAMP specification document [I-D.ietf-psamp-protocol], and
   the terms IPFIX Mediation, IPFIX Mediator, Original Exporter, IPFIX
   Proxy, IPFIX Concentrator, IPFIX Distributor, IPFIX Masquerading
   Proxy are defined in the IPFIX Mediation problem statement document
   [I-D.ietf-ipfix-mediator-ps].  Additional terms required for the
   IPFIX Mediation are defined here.  All these terms have an initial
   capital letter in this document.

   Intermediate Process

      An Intermediate Process generates new sets of Data Records/
      Template Records from input Data Records/Template Records.

   Mediator Observation Domain

      A Mediator Observation Domain indicates the largest set of
      Observation Points from the viewpoint of a Collector, and a
      Mediator Observation Domain ID is used in an IPFIX Message header,
      such as the Observation Domain ID in [RFC5101].  However, the
      Mediator Observation Domain ID may not indicate the physical
      entity of an Original Exporter.  For example, the value may
      indicate the set of Exporters or set of line cards in an Exporter.
      The Mediator Observation Domain ID is 0 when an IPFIX Masquerading
      Proxy screens out the Mediator Observation Domain ID.

      [Note]
      [RFC5101] mentions that the Observation Domain ID should be 0 when
      no specific Observation Domain ID is relevant for the entire IPFIX
      Message, in the case of a hierarchy of Collectors when aggregated
      Data Records are exported.  However, even in the case of
      aggregation, the IPFIX Mediator can set a meaningful value.  This
      shows the conflict between Observation Domain ID and Mediator
      Observation Domain ID.

   Transport Session Information

      The Transport Session is specified in [RFC5101].  In SCTP, the
      Transport Session Information is the SCTP association.  In TCP and
      UDP, the Transport Session Information corresponds to a 5-tuple



Kobayashi, et al.        Expires August 15, 2009                [Page 4]

Internet-Draft          IPFIX Mediation Framework          February 2009


      {Exporter IP address, Collector IP address, Exporter transport
      port, Collector transport port, and transport protocol}.

















































Kobayashi, et al.        Expires August 15, 2009                [Page 5]

Internet-Draft          IPFIX Mediation Framework          February 2009


3.  IPFIX/PSAMP Documents Overview

3.1.  IPFIX Documents Overview

   The IPFIX protocol [RFC5101] provides network administrators with
   access to IP flow information.  The architecture for the export of
   measured IP flow information out of an IPFIX Exporting Process to a
   Collecting Process is defined in [I-D.ietf-ipfix-architecture], per
   the requirements defined in [RFC3917].  The IPFIX protocol [RFC5101]
   specifies how IPFIX Data Records and Templates are carried via a
   number of transport protocols from IPFIX Exporting Processes to IPFIX
   Collecting Processes.  IPFIX has a formal description of IPFIX
   Information Elements, their names, types, and additional semantic
   information, as specified in [RFC5102].  [I-D.ietf-ipfix-mib]
   specifies the IPFIX Management Information Base.  Finally,
   [I-D.ietf-ipfix-as] describes what types of applications can use the
   IPFIX protocol and how they can use the information provided.  It
   furthermore shows how the IPFIX framework relates to other
   architectures and frameworks.  The storage of IPFIX Messages in a
   file is specified in [I-D.ietf-ipfix-file].

3.2.  PSAMP Documents Overview

   The framework for packet selection and reporting
   [I-D.ietf-psamp-framework] enables network elements to select subsets
   of packets by statistical and other methods and to export a stream of
   reports on the selected packets to a Collector.  The set of packet
   selection techniques (sampling, filtering, and hashing) standardized
   by PSAMP is described in [I-D.ietf-psamp-sample-tech].  The PSAMP
   protocol [I-D.ietf-psamp-protocol] specifies the export of packet
   information from a PSAMP Exporting Process to a Collector.  Like
   IPFIX, PSAMP has a formal description of its Information Elements,
   their names, types, and additional semantic information.  The PSAMP
   information model is defined in [I-D.ietf-psamp-info].
   [I-D.ietf-psamp-mib] describes the PSAMP Management Information Base.
















Kobayashi, et al.        Expires August 15, 2009                [Page 6]

Internet-Draft          IPFIX Mediation Framework          February 2009


4.  IPFIX Mediation Reference Model

   The figure below shows the high-level reference model for IPFIX
   Mediation based on [I-D.ietf-ipfix-architecture].  This figure covers
   the various possible scenarios that can exist in an IPFIX measurement
   system.


   +---------------------------+    +---------------------------+
   | Collector {l}             |    | Collector {k}             |
   |[*Application(s)]          |    |[*Application(s)]          |
   |[Collecting Process(es)]   |....|[Collecting Process(es)]   |
   +---------------------------+    +---------------------------+
                    ^    ^              ^  ^
                    |    |              |  |
                    |    +------....----+  |
                    |    |                 |
             IPFIX (Flow Records / Packet Reports)
                    |    |                 |
   +----------------+----+-----+    +-------+-------------------+
   |IPFIX Mediator {j}         |    |IPFIX Mediator {n}         |
   |[*Applications(s)]         |    |[*Applications(s)]         |
   |[Exporting Process(es)]    |    |[Exporting Process(es)]    |
   |[Intermediate Process(es)] |....|[Intermediate Process(es)] |
   |[Collecting Process(es)]   |    |[Collecting Process(es)]   |
   +---------------------------+    +---------------------------+
                    ^    ^               ^
                    |    |               |
                    |    +------....-----+
                    |                    |
             IPFIX (Flow Records / Packet Reports)
                    |                    |
   +----------------+----------+    +----+----------------------+
   |IPFIX Original Exporter {i}|    |IPFIX Original Exporter {m}|
   |[Exporting Process(es)]    |    |[Exporting Process(es)]    |
   |[Metering Process(es)]     |....|[Metering Process(es)]     |
   |[Observation Point(s)]     |    |[Observation Point(s)]     |
   +---------------------------+    +---------------------------+
               ^ ^                        ^ ^
               | |                        | |
            Packets coming to Observation Points



   Figure A: Reference Model for IPFIX Mediation.

   The various functional components are indicated within brackets [].
   The functional components within [*] are not part of this document



Kobayashi, et al.        Expires August 15, 2009                [Page 7]

Internet-Draft          IPFIX Mediation Framework          February 2009


   and [I-D.ietf-ipfix-architecture].

   The figure below shows the basic IPFIX Mediator component model.  The
   IPFIX Mediator is formally defined as consisting of one or more
   Collecting Processes, zero or more Intermediate Processes, and one or
   more Exporting Processes.  Basically, the IPFIX Mediator devices,
   i.e., IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and
   IPFIX Concentrator, described in [I-D.ietf-ipfix-mediator-ps] are
   composed of these components.


            IPFIX (Flow Records / Packet Reports)
                              ^
                            ^ |
   +------------------------|-|---------------------+
   | IPFIX Mediator         | |                     |
   |                        | |                     |
   |  .---------------------|-+-------------------. |
   | .----------------------+--------------------.| |
   | |          Exporting Process(es)            |' |
   | '----------------------^--------------------'  |
   |                        | |                     |
   |  .---------------------|-+-------------------. |
   | .----------------------+--------------------.| |
   | |    Intermediate Process(es) (optional)    |' |
   | '----------------------^--------------------'  |
   |                        | |                     |
   |  .---------------------|-+-------------------. |
   | .----------------------+--------------------.| |
   | |          Collecting Process(es)           |' |
   | '----------------------^--------------------'  |
   +------------------------|-|---------------------+
                            |
            IPFIX (Flow Records / Packet Reports)

   Figure B: IPFIX Mediator Basic Component Model.

   An Original Exporter with an IPFIX Mediation is modeled as follows.













Kobayashi, et al.        Expires August 15, 2009                [Page 8]

Internet-Draft          IPFIX Mediation Framework          February 2009


               IPFIX (Flow Records / Packet Reports)
                               ^ ^
   +---------------------------|-|------------------------+
   | Original Exporter         | |                        |
   |                           | |                        |
   |     .---------------------|-+-------------------.    |
   |    .----------------------+--------------------.|    |
   |    |           Exporting Process(es)           |'    |
   |    '----------------------^--------------------'     |
   |                           | |                        |
   |     .---------------------|-+-------------------.    |
   |    .----------------------+--------------------.|    |
   |    |          Intermediate Process(es)         |'    |
   |    '---------^-----------------------^---------'     |
   |              |Flow Record or         |               |
   |              |        Packet Reports |               |
   | .------------+----------.  .---------+-------------. |
   | | Metering Process {i}  |..| Metering Process {n}  | |
   | '------------^----------'  '---------^-------------' |
   |              |                       |               |
   | .------------+----------.  .---------+-------------. |
   | | Observation Point {i} |..| Observation Point {n} | |
   | '------------^----------'  '---------^-------------' |
   +--------------|-----------------------|---------------+
                  |                       |
            Packets coming to Observation Points

   Figure C: Component Model for Original Exporter with Mediation.























Kobayashi, et al.        Expires August 15, 2009                [Page 9]

Internet-Draft          IPFIX Mediation Framework          February 2009


5.  IPFIX Mediation Functional and Logical Blocks

   This section describes the details of each component and examples
   applicable to that component for IPFIX Mediation and IPFIX Mediators.

5.1.  Collecting Process

   The Collecting Processes described in [RFC5101] receive Data Records
   with information relating to their treatment in the Metering Process
   and Exporting Process in the Original Exporter, such as sampling
   rate, IPFIX Message header information, and Transport Session
   Information.  The Collecting Processes transmit the set of data to
   multiple components: Intermediate Processes and Exporting Processes.
   In other words, the processes may duplicate received Data Records and
   transmit them to multiple components in sequence or in parallel.

5.2.  Exporting Process

   The Exporting Processes described in [RFC5101] transmit Data Records
   to one or multiple Collectors.  The processes manage the reporting
   Template and create IPFIX Messages.

5.3.  Intermediate Process

   The Intermediate Processes generate new sets of Data Records from
   input Data Records with context information collected by the
   Collecting Process that includes the "Export Time" and "Observation
   Domain ID" included in IPFIX Message headers.  The processes host one
   of several functions defined below or a combination of them, in any
   sequence or in any set.  In the case of a combination, the output of
   each function can be the input of other functions.  The following
   subsections show the details of each function.

5.3.1.  Selection Function

   The Selection Function determines which input Data Records are
   selected by matching them under a filtering policy and then transmits
   them to the next processes or functions.  The function is similar to
   the Selection Process described in [I-D.ietf-psamp-sample-tech].  The
   function covers several selection techniques, such as property match
   filtering and sampling.  In property match filtering, if the value of
   a specified Information Element equals a configured value, the
   function selects a Data Record to transmit.

   The combination of the Selection Functions and other functions
   provides some useful applications.





Kobayashi, et al.        Expires August 15, 2009               [Page 10]

Internet-Draft          IPFIX Mediation Framework          February 2009


   Data-based Collector Selection

      The combination of one or multiple Selection Functions and
      Exporting Processes can determine to which Collector input Data
      Records are exported.  Applicable examples include exporting Data
      Records to a dedicated Collector on the basis of customer or
      organization peering.  For example, selectors select Data Records
      on the basis of a peering AS number, as shown in the following
      figure.  The set of Data Records is exported to a dedicated
      Collector on the basis of the peering AS number.

         .----------------------.
         | Intermediate Process |  +----------------+
         |                      |  |  Exporting     |
         | +- Selection #1 ------->|    Process #1  |--> Collector #1
   Data  | |   Peering AS #10   |  '-----------------'
   Record| |                    |  +----------------+
   --------+- Selection #2 ------->|  Exporting     |--> Collector #2
         | |   Peering AS #20   |  |    Process #2  |
         | |                    |  '----------------'
         | |                    |  +----------------+
         | +- Selection #1 ------->|  Exporting     |--> Collector #3
         |     Peering AS #30   |  |    Process #3  |
         '----------------------'  '----------------'

      Figure D: Exporting classified Data Records to dedicated
      Collector.

   Flow Selection and Aggregation

      The combination of one or multiple Selection Functions and
      Aggregation Functions can efficiently reduce the amount of Flow
      Records.  For example, a selector selects small Flows consisting
      of a small number of packets and then transmits them to the
      Aggregation Function.  Another selector selects other Flows and
      then transmits them to the Exporting Process, as shown in the
      following figure.  This results in aggregation based on the
      distribution of the number of packets per Flow.













Kobayashi, et al.        Expires August 15, 2009               [Page 11]

Internet-Draft          IPFIX Mediation Framework          February 2009


         .-------------------------------------+   +-------------------+
         |         Intermediate Process        |   | Exporting Process |
         |                                     |   |                   |
   Data  | +- Selection #1 -----> Aggregation ---->|                   |
   Record| |   packetDeltaCount <= 5           |   |                   |
   --------+                                   |   |                   |
         | |                                   |   |                   |
         | +- Selection #2 ----------------------->|                   |
         |     packetDeltaCount > 5            |   |                   |
         '-------------------------------------'   '-------------------'

      Figure E: Flow Selection and Aggregation

5.3.2.  Aggregation Function

   The Aggregation Function creates aggregated Flow Records from input
   Flow Records/Packet Reports.  The aggregation method is divided into
   three types.

   Flow Key Field Selection

      Decreasing the number of fields considered as Flow Keys, such as
      three, two, or one Flow Key field, creates more aggregated Flow
      Records.  The function gathers Data Records within a given
      interval time and then merges the Data Records that have common
      properties.  If the values of given Flow Key fields are the same,
      that means those Data Records have common properties, and the
      function merges them in accordance with the aggregation policy.

      In addition, the function can create statistical data and
      subsidiary information related to the aggregated Flow Records.
      Examples include the number of input Data Records, the given
      interval time, and a new set of Flow Keys.

   Time Composition

      Time composition is defined as aggregation of Flow Records with
      identical Flow Key values within a given interval time.  The
      function may also compute Flow Records statistics, such as the
      maximum, and minimum values of each counter.  The statistics
      enable the visualization of the behavior of traffic volume over a
      long time period.  The function provides some advantages.

      *  reducing the number of Flow Records for long-running Flows

      *  computing the active time period for long-running Flows





Kobayashi, et al.        Expires August 15, 2009               [Page 12]

Internet-Draft          IPFIX Mediation Framework          February 2009


      *  revealing the up-and-down traffic volume within an active time

         Short period Flow Records created by configurating a short
         active time, e.g., 1 or 10 sec, are merged within a certain
         time period, e.g., 60 or 300 sec, at an IPFIX Mediator.  While
         merging, the IPFIX Mediator computes new metrics such as
         maximum and minimum.  It produces more precise maximum and
         minimum values without increasing the number of Flow Records on
         a Collector.

   Space Composition

      Space composition is defined as aggregation on a larger
      Observation Domain or on a set of Observation Points.  Generally,
      Flow Key fields are included in a Flow Record.  In that case,
      other properties that are not included in a Flow Record, such as
      the Exporter IP address or Observation Domain ID, become Flow Key
      fields.

      In addition, a group identifier indicating a spatial Observation
      Domain can also become a new Flow Key. For example, a group can
      indicate an area on an ISP network, or a link aggregation
      interface composed of physical interfaces.  The group can also
      make a relation to a set of values of specified Information
      Elements in the Flow Records by the configuring rule.  After
      converting from the values of specified Information Elements to
      the group identifier, the function can create aggregated Flow
      Records by a general aggregation process.

5.3.3.  Correlation Function

   The Correlation Function creates new metrics by evaluating the
   correlation among sets of Flow Records/Packet Reports.  These sets
   can be Flow Records gathered during a certain period, a pair of
   consecutive Packet Reports, or Packet Reports exported by different
   Exporters indicating the same packet.  After producing new metrics,
   the function outputs Flow Records with the new metrics field.
   Applicable examples are as follows.

   o  One way delay follows from the correlation of Packet Reports
      exported from different Exporters on the path.

   o  Packet interval time, or jitter, follows the correlation of
      consecutive Packet Reports exported from the same Exporter.

   o  Difference values follow the correlation of Flow Records observed
      at ingress or egress interfaces.  The values help to confirm the
      result of a queueing or rate-limiting function.



Kobayashi, et al.        Expires August 15, 2009               [Page 13]

Internet-Draft          IPFIX Mediation Framework          February 2009


   o  Average/maximum/minimum values follow the correlation of each in a
      set of Flow Records.

5.3.4.  Modification Function

   The Modification Function modifies input Data Records without
   changing their granularity.  The function can add new Information
   Elements, delete existing Information Elements, or modify the value
   of specified Information Elements.  If the function modifies the data
   structure of an original Template, it also needs to modify the value
   of the "flowKeyIndicator".

   Adding specified Information Elements

      The function obtains the value of a specified Information Element
      and then adds it to Data Records.  There are several methods to
      obtain the value: retrieving the value from a database or
      calculating the value on the basis of the value of other
      Information Elements and received traffic data.

      Applicable examples include adding derived packet property
      parameters.  Doing that can compensate for traditional exporting
      devices or probes that are unable to add packet property
      parameters.  Therefore, Collectors do not need to recognize the
      difference among implementations of routers from several vendors
      or among Exporter types, such as router, switch, or probe.
      Typical derived packet property parameters include the following.

      *  The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102]
         indicates the egress router of a network domain.  That is
         useful for making a traffic matrix that covers the whole
         network domain.

      *  The BGP community value indicates the same group of destination
         or source IP addresses.

      *  The "mplsVpnRouteDistinguisher" described in [RFC5102], which
         cannot be extracted from the core router in MPLS networks,
         indicates the VPN customer's identification.  Network operators
         can monitor the traffic behavior of each customer by adding
         "mplsVpnRouteDistinguisher" to Data Records.

   Deleting specified Information Elements

      This function deletes existing Information Elements according to
      instruction rules, which indicate whether an Information Element
      should be removed.




Kobayashi, et al.        Expires August 15, 2009               [Page 14]

Internet-Draft          IPFIX Mediation Framework          February 2009


      Applicable examples include hiding network topology information
      and private information.  In the case of IPFIX exporting across
      domains, the function can avoid creating a vulnerability by
      deleting unnecessary Information Elements.  Examples of network
      topology information include "ipNextHopIP{v4|v6}Address",
      "bgpNextHopIP{v4|v6}Address", and "bgp{Next|
      Prev}AdjacentAsNumber", described in [RFC5102].  In addition,
      MPLS-related Information Elements, such as
      "mplsLabelStackSection", are useless for the customers in the case
      of feeding Flow Records/Packet Reports to VPN customers.

   Modifying the value of specified Information Elements

      This function modifies the value of specified Information
      Elements.

      Applicable examples include anonymizing customers' private
      information, such as IP address and port number, according to a
      privacy protection policy.  The function may also report
      anonymized fields and the anonymization method as subsidiary
      information.

5.4.  IPFIX File Writer/Reader

   The IPFIX File Writer/Reader on an IPFIX Mediator complies with
   [I-D.ietf-ipfix-file] as well.  The IPFIX File Writer stores input
   Data Records from any process in a file system.  If received Data
   Records include uninteresting Information Elements, the Modification
   Function can delete these elements before the IPFIX File Writer
   handles them.

   In contrast, the IPFIX File Reader retrieves stored Data Records when
   administrators want to retrieve past Data Records from a given time
   period.  If the data structure of output Data Records from the IPFIX
   File Reader is different from what administrators want, the
   Modification Function can modify the data structure.

   The figure shows the IPFIX component model with an IPFIX File Writer/
   Reader.












Kobayashi, et al.        Expires August 15, 2009               [Page 15]

Internet-Draft          IPFIX Mediation Framework          February 2009


           IPFIX (Flow Records / Packet Reports)
                             ^
                           ^ |
    .----------------------|-+--------------------.
   .-----------------------+---------------------.|
   |  Exporting Process(es) / IPFIX File Writer  |'
   '----^------------------^---------------------'
        |                  | |
        |    .-------------|-+--------------------.
        |   .--------------+---------------------.|
        |   |      Intermediate Process(es)      |'
        |   '--------------^-^-------------------'
        |                  | |
    .---+------------------|-+--------------------.
   .-----------------------+---------------------.|
   | Collecting Process(es) / IPFIX File Reader  |'
   '-----------------------^---------------------'
                           |
            IPFIX (Flow Records / Packet Reports)


   Figure E: IPFIX Mediator Component Model with IPFIX File Writer/
   Reader.

5.5.  Flow Expiration

   The Aggregation Function needs expiration conditions to export cached
   Flow Records.  These conditions are described in
   [I-D.ietf-ipfix-architecture].  In the case of IPFIX Mediation, these
   conditions are as follows.

   o  If there are no input Data Records belonging to a cached Flow for
      a certain time period, aggregated Flow Records will expire.  This
      time period should be configurable at the Intermediate Process.

   o  If the IPFIX Mediator experiences resource constraints, aggregated
      Flow Records may prematurely expire (e.g., lack of memory to store
      Flow Records).

   o  For long-running Flows, the Intermediate Process should cause the
      Flow to expire on a regular basis or based on an expiration
      policy.  This periodicity or expiration policy should be
      configurable at the Intermediate Process.

   The Correlation Function also needs similar expiration conditions.
   However, when cached Flow Records prematurely expire and the function
   cannot compute their correlation, cached Flow Records may be
   discarded.



Kobayashi, et al.        Expires August 15, 2009               [Page 16]

Internet-Draft          IPFIX Mediation Framework          February 2009


5.6.  Information Model

   IPFIX Mediation reuses the general information model from [RFC5102]
   and from [I-D.ietf-psamp-info].  The Correlation Function uses the
   additional Information Elements indicating the minimum and maximum
   values for packet count and octet count.

5.7.  Examples

   As an example in the case of Intermediate Processes having different
   functions, a Collecting Process/IPFIX File Reader replicates Data
   Records, if necessary, and transmits them to a suitable Intermediate
   Process/Exporting Process.  An example figure is shown below.






































Kobayashi, et al.        Expires August 15, 2009               [Page 17]

Internet-Draft          IPFIX Mediation Framework          February 2009


                        IPFIX           IPFIX               IPFIX
                          ^               ^                   ^
                          |               |                   |
    .------------.  .-----+-------. .-----+-------.    .------+------.
    | IPFIX File |  | Exporting   | | Exporting   |    | Exporting   |
    |  Writer    |  |  Process {i}| |  Process {j}|....|  Process {n}|
    '-----^-^----'  '-----^-------' '-----^-------'    '------^------'
          | |             |               |                   |
          | +-------------+               |             Flow Records
          |          Flow Records / Packet Reports            |
          |        .------+-------. .-----+--------.   .------+-------.
          |        | Intermediate | | Intermediate |   | Intermediate |
          |        |  Process {l} | |  Process {m} |   |  Process {p} |
          |        |              | |              |...|              |
          |        |  Selection   | |  Selection   |   |              |
     Flow Records  |      ^       | |      ^       |   |              |
          |        |      |       | |      |       |   |              |
          |        |  Correlation | |  Modification|   |  Modification|
          |        |      ^       | |      ^       |   |      ^       |
          |        |      |       | |      |       |   |      |       |
          |        |  Selection   | |  Aggregation |...|  Selection   |
          |        |      ^       | |     ^ ^      |   |      ^       |
          |        '------|-------' '-----|-|------'   '------|-------'
          |               |               | |                 |
          |               +---------------+ |           Flow Records
          |               |                 |                 |
          |          Flow Records / Packet Reports            |
   .------+------. .------+------.   .------+------.    .-----+------.
   | Collecting  | | Collecting  |   | Collecting  |    | IPFIX File |
   |  Process {i}| |  Process {j}|...|  Process {n}|    |  Reader    |
   '------^------' '------^------'   '------^------'    '------------'
          |               |                 |
        IPFIX           IPFIX             IPFIX

   Figure F: Functional Block Examples for IPFIX Mediator.
















Kobayashi, et al.        Expires August 15, 2009               [Page 18]

Internet-Draft          IPFIX Mediation Framework          February 2009


6.  Security Considerations

   An IPFIX measurement system must also prevent the security threats
   related to IPFIX Mediation that follow as well as the security
   threats described in the security consideration section in [RFC5101].

   o  attacks against IPFIX Mediators

      IPFIX Mediators need to prevent unauthorized access or denial-of-
      service (DoS) attacks from untrusted public networks.  One
      solutions is that IPFIX Mediators host the packet filter function
      to reject malicious packets at an outside interface.

   o  man-in-the-middle attacks by untrusted IPFIX Mediators

      The Collector-Mediator-Exporter structure model would increase the
      risk of man-in-the-middle attacks.  One solutions is that IPFIX
      Collectors and Exporters must verify trusted IPFIX Mediators to
      prevent connection to untrusted IPFIX Mediators.

   o  configuration of IPFIX Mediation

      In the case of IPFIX Distributors and IPFIX Masquerading Proxies,
      an accidental misconfiguration and unauthorized access to
      configuration data could lead to the crucial problem of disclosure
      of confidential traffic data.
      To eliminate these risks, IPFIX Mediators must provide the
      authentication function for authorized administrators and the
      facilities to help in tracing configuration changes to their
      origin.





















Kobayashi, et al.        Expires August 15, 2009               [Page 19]

Internet-Draft          IPFIX Mediation Framework          February 2009


7.  IANA Considerations

   This document has no actions for IANA.
















































Kobayashi, et al.        Expires August 15, 2009               [Page 20]

Internet-Draft          IPFIX Mediation Framework          February 2009


8.  References

8.1.  Normative References

   [I-D.ietf-ipfix-architecture]
              Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
              "Architecture for IP Flow Information Export",
              draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work
              in progress) , September 2006.

   [I-D.ietf-ipfix-as]
              Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IPFIX
              Applicability", draft-ietf-ipfix-as-12 (work in
              progress) , June 2007.

   [I-D.ietf-ipfix-mib]
              Dietz, T., Claise, B., and A. Kobayashi, "Definitions of
              Managed Objects for IP Flow Information Export",
              draft-ietf-ipfix-mib-05 (work in progress) ,
              November 2008.

   [I-D.ietf-psamp-framework]
              Duffield, N., "A Framework for Packet Selection and
              Reporting", draft-ietf-psamp-framework-13.txt , June 2008.

   [I-D.ietf-psamp-info]
              Dietz, T., Claise, B., Aitken, P., Dressler, F., and G.
              Carle, "Information Model for Packet Sampling Exports",
              draft-ietf-psamp-info-11.txt (work in progress) ,
              October 2008.

   [I-D.ietf-psamp-mib]
              Dietz, T. and B. Claise, "Definitions of Managed Objects
              for Packet Sampling", draft-ietf-psamp-mib-06 (work in
              progress) , June 2006.

   [I-D.ietf-psamp-protocol]
              Claise, B., Quittek, J., and A. Johnson, "Packet Sampling
              (PSAMP) Protocol Specifications",
              draft-ietf-psamp-protocol-09.txt , December 2007.

   [I-D.ietf-psamp-sample-tech]
              Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F.
              Raspall, "Sampling and Filtering Techniques for IP Packet
              Selection", draft-ietf-psamp-sample-tech-11.txt ,
              July 2008.

   [RFC3917]  Quittek, J., Zseby, T., Claise, B., and S. Zander,



Kobayashi, et al.        Expires August 15, 2009               [Page 21]

Internet-Draft          IPFIX Mediation Framework          February 2009


              "Requirements for IP Flow Information Export(IPFIX)",
              October 2004.

   [RFC5101]  Claise, B., "Specification of the IP Flow Information
              Export (IPFIX) Protocol for the Exchange of IP Traffic
              Flow Information", January 2008.

   [RFC5102]  Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
              Meyer, "Information Model for IP Flow Information Export",
              January 2008.

8.2.  Informative References

   [I-D.ietf-ipfix-file]
              Trammell, B., Boschi, E., Mark, L., Zseby, T., and A.
              Wagner, "An IPFIX-Based File Format",
              draft-ietf-ipfix-file-03.txt(work in progress) ,
              October 2008.

   [I-D.ietf-ipfix-mediator-ps]
              Kobayashi, A., Nishida, H., Sommer, C., Dressler, F.,
              Stephan, E., and B. Claise, "IPFIX Mediation: Problem
              Statement",
              draft-ietf-ipfix-mediation-problem-statement-02.txt(work
              in progress) , September 2009.


























Kobayashi, et al.        Expires August 15, 2009               [Page 22]

Internet-Draft          IPFIX Mediation Framework          February 2009


Appendix A.  Acknowledgements

   The authors gratefully acknowledge the contributions of

   Keisuke Ishibashi,
   Tsuyoshi Kondoh, and
   Daisuke Matsubara.












































Kobayashi, et al.        Expires August 15, 2009               [Page 23]

Internet-Draft          IPFIX Mediation Framework          February 2009


Authors' Addresses

   Atsushi Kobayashi
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-cho
   Musashino-shi, Tokyo  180-8585
   Japan

   Phone: +81-422-59-3978
   Email: akoba@nttv6.net


   Haruhiko Nishida
   NTT Information Sharing Platform Laboratories
   3-9-11 Midori-cho
   Musashino-shi, Tokyo  180-8585
   Japan

   Phone: +81-422-59-3978
   Email: nishida.haruhiko@lab.ntt.co.jp


   Benoit Claise
   Cisco Systems
   De Kleetlaan 6a b1
   Diegem  1831
   Belgium

   Phone: +32 2 704 5622
   Email: bclaise@cisco.com





















Kobayashi, et al.        Expires August 15, 2009               [Page 24]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/