[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05

Network Working Group                                        F. Dressler
Internet-Draft                                                 C. Sommer
Expires: June 23, 2006                            University of Erlangen
                                                                G. Muenz
                                                 University of Tuebingen
                                                       December 20, 2005


                           IPFIX Aggregation
               <draft-dressler-ipfix-aggregation-02.txt>

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on June 23, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   IPFIX Aggregation describes a methodology for reducing the amount of
   measurement data exchanged between monitoring devices (IPFIX
   exporters) and analyzers (IPFIX collectors).  Using aggregation
   techniques, measurement information of multiple similar flows is
   aggregated into one compound meta-flow record.  Subsets of flows
   eligible for aggregation, as well as the degree of similarity, can be



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 1]


Internet-Draft              IPFIX Aggregation              December 2005


   customized using aggregation rules.

   To ensure efficient communication of both aggregated flows and the
   aggregation rules used, the IPFIX Protocol and IPFIX Information
   Model are slightly extended to allow for two new abstract data types
   and a new type of template set.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3

   3.  Architecture . . . . . . . . . . . . . . . . . . . . . . . . .  4

   4.  Methodology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
     4.1   Aggregation Rules  . . . . . . . . . . . . . . . . . . . .  5
     4.2   Field Modifiers  . . . . . . . . . . . . . . . . . . . . .  6
     4.3   Patterns and Common Properties . . . . . . . . . . . . . .  7
     4.4   Rule Semantics . . . . . . . . . . . . . . . . . . . . . .  7
     4.5   Example  . . . . . . . . . . . . . . . . . . . . . . . . .  8

   5.  IPFIX Extensions . . . . . . . . . . . . . . . . . . . . . . .  8
     5.1   ipv4Network  . . . . . . . . . . . . . . . . . . . . . . .  9
     5.2   portRanges . . . . . . . . . . . . . . . . . . . . . . . .  9
     5.3   Data Template  . . . . . . . . . . . . . . . . . . . . . . 10
     5.4   Example  . . . . . . . . . . . . . . . . . . . . . . . . . 14

   6.  Application Examples . . . . . . . . . . . . . . . . . . . . . 16
     6.1   Charging . . . . . . . . . . . . . . . . . . . . . . . . . 16
     6.2   Intrusion Detection  . . . . . . . . . . . . . . . . . . . 16

   7.  Security considerations  . . . . . . . . . . . . . . . . . . . 17

   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
     8.1   Normative References . . . . . . . . . . . . . . . . . . . 17
     8.2   Informative References . . . . . . . . . . . . . . . . . . 17

       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18

       Intellectual Property and Copyright Statements . . . . . . . . 19










Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 2]


Internet-Draft              IPFIX Aggregation              December 2005


1.  Introduction

   Flow measurement in high-speed large-scale networks easily produces a
   huge amount of data that can not be handled by a single IPFIX
   collector or analyzer.  Also, many applications processing flow
   measurement data do not require detailed flow-level information but
   only information about flow aggregates, where the quality and level
   of flow aggregation is very application-specific.  This document
   presents a flexible flow aggregation scheme that helps both, reducing
   the number and size of exported flow records and adapting the
   transmitted measurement information to the requirements of the
   application.  These goals are achieved by discarding unneeded
   measurement information and merging multiple individual flows into a
   smaller number of compound meta-flows before the remaining
   measurement data is exported to the analyzer.  The following sections
   show how to design and implement IPFIX aggregators and introduce
   appropriate extensions to the IPFIX protocol.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.  Terminology

   Apart from the basic terms as defined in [RFC3917], [I-D.ietf-ipfix-
   protocol], and [I-D.ietf-ipfix-architecture], the following terms are
   used within this document:
   Meta-flow:
      A meta-flow is an aggregate of individual flows.

   Meta-flow record:
      A meta-flow record contains the measurement data of a meta-flow.
      It MAY contain the total count of all packets that belong to the
      same meta-flow and were observed within a given time interval.
      Flow properties that were discarded during flow aggregation are no
      longer contained in the meta-flow record.

   Aggregation rule:
      An aggregation rule defines the properties of a meta-flow and the
      content of the corresponding meta-flow record.  Optionally, a set
      of common properties MAY be specified in order to restrict the
      applicability of the rule to those flows that show certain
      patterns.








Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 3]


Internet-Draft              IPFIX Aggregation              December 2005


   Data Template:
      A Data Template, as proposed in Section 5.3, SHOULD be used to
      define the structure of the meta-flow record and to inform the
      analyzer about the applied aggregation rule and the common
      properties.


3.  Architecture

   Aggregation of measurement data may take place at two possible
   stages:
   o  An internal aggregator, as depicted in Figure 1, is implemented as
      a process running in an IPFIX enabled device.  It aggregates flow
      data generated by multiple metering processes and exports them as
      meta-flow records.  In practical implementations, metering and
      aggregation MAY be performed in a single step in order to reduce
      the number of retained state information.

   +------------------------------------------+     +--------------+
   | IPFIX-enabled device       .---.   .---. |     |              |
   | .--------------------.     | A |   |   | | .-->|   Analyzer   |
   | | Metering Process 1 |-.   | g |   | E | | |   |              |
   | `--------------------' |   | g |   | x | | |   +--------------+
   |                        |   | r |   | p |---'
   |           .            '-->| e |   | o | |
   |           .                | g |-->| r | |
   |           .            .-->| a |   | t |---.
   |                        |   | t |   | e | | |   +--------------+
   | .--------------------. |   | o |   | r | | |   |              |
   | | Metering Process N |-'   | r |   |   | | '-->| Concentrator |
   | `--------------------'     `---'   `---' |     |              |
   +------------------------------------------+     +--------------+

                        Figure 1: Internal Aggregation

   o  An external aggregator, called concentrator in IPFIX terminology,
      may be used where the deployed monitoring devices cannot be
      modified to incorporate an internal aggregator.  Furthermore,
      concentrators enable cascaded, multi-level aggregation of flow
      information.  As shown in Figure 2, a concentrator receives flow
      records from monitoring devices and/or lower-level concentrators
      and exports the aggregated meta-flow information to higher-level
      concentrators and/or analyzers.








Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 4]


Internet-Draft              IPFIX Aggregation              December 2005


   +--------------+    +-----------------------+     +--------------+
   |              |    | Concentrator          |     |              |
   | Concentrator |-.  | .---.   .---.   .---. | .-->|   Analyzer   |
   |              | |  | | C |   | A |   |   | | |   |              |
   +--------------+ |  | | o |   | g |   | E | | |   +--------------+
                            '--->| l |   | g |   | x |---'
                               | | l |   | r |   | p | |
                               | | e |-->| e |-->| o | |
                               | | c |   | g |   | r | |
                            .--->| t |   | a |   | t |---.
   +--------------+ |  | | o |   | t |   | e | | |   +--------------+
   |              | |  | | r |   | o |   | r | | |   |              |
   | IPFIX device |-'  | |   |   | r |   |   | | '-->| Concentrator |
   |              |    | `---'   `---'   `---' |     |              |
   +--------------+    +-----------------------+     +--------------+

                        Figure 2: External Aggregation


4.  Methodology

4.1  Aggregation Rules

   Regarding the configuration of the aggregator, a rule-based approach
   is proposed.  A list of user-defined aggregation rules is supplied to
   the aggregator.  An aggregation rule consists of multiple aggregation
   instructions, one for each IPFIX field that is to be considered.  An
   aggregation instruction comprises the following elements:
   o  The IPFIX field the aggregation instruction refers to (e.g.
      destinationIPv4Address).  Only flows that contain the field
      mentioned will be considered for aggregation in the meta-flow.
   o  One of the field modifiers "discard", "keep", "mask", or
      "aggregate" that specifies how this field is treated by the
      aggregator and whether it is included in the meta-flow record or
      not.
   o  An OPTIONAL pattern for this field that restricts the aggregation
      to those flows that match the given value(s) (e.g. 10.10.0.0/16).
      Only flows that match all patterns of the rule will be aggregated
      in the meta-flow.

   With this definition of aggregation instructions each rule
   unambiguously defines the content of the meta-flow record as well as
   the template to export the meta-flow information.  If a field is
   present in the meta-flow record and how it is encoded depends on the
   field modifier.  This behavior is explained in Section 4.2.  Fields
   that do not appear in any of the aggregation instructions are not
   part of the meta-flow record.  The usage of patterns in order to
   define common properties is explained in Section 4.3.



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 5]


Internet-Draft              IPFIX Aggregation              December 2005


4.2  Field Modifiers

   The following field modifiers are applicable to fields that are part
   of a flow record's Flow Key as defined in [I-D.ietf-ipfix-
   architecture]:
   discard:
      The field is not included in the meta-flow records, i.e. meta-
      flows are not distinguishable with respect to this field.
      Incoming flow records with different values for this IPFIX field
      are merged.

   keep:
      The field is included in the meta-flow record, i.e. meta-flows are
      distinguishable with respect to this field.  Incoming flow records
      with different values for this field are not merged, but
      contribute to different meta-flows instead.

   mask/n (applicable to IP addresses only):
      The field is included in the meta-flow record, but the number of
      significant bits reduced to n bits.  Incoming flow records with IP
      addresses belonging to the same subnet are merged, so meta-flows
      are distinguishable with respect to resulting subnet addresses
      only.  In accordance with the IPFIX Information Model, the
      resulting subnet address MAY be encoded with a IP prefix field and
      a IP mask field.  It SHOULD, however, be encoded with a single
      field of the new abstract data type "ipv4Network" as proposed in
      Section 5.1.


   If an aggregation instruction refers to a field that is not part of
   the Flow Key (e.g. a time stamp or a count) the only possible field
   modifier is:
   aggregate:
      The field is included in the meta-flow record.  The value for this
      field is derived from the corresponding values of the original
      flows by applying an aggregation function.  The type of
      aggregation function to be applied depends on the field type.  For
      example, the meta-flow's start timestamp is set to the minimum of
      the original start timestamps, packet and byte counts of
      aggregated flows are summed up.  Table 1 gives an overview of
      common field types and their associated aggregation function.
      Refer to the IPFIX Information Model [I-D.ietf-ipfix-info] for a
      description of the mentioned fields.








Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 6]


Internet-Draft              IPFIX Aggregation              December 2005


            +-----------------------+----------------------+
            | Field                 | Aggregation Function |
            +-----------------------+----------------------+
            | minimumPacketLength   | minimum              |
            | minimumTtl            | minimum              |
            | flowStartSeconds      | minimum              |
            | flowStartMilliSeconds | minimum              |
            | maximumPacketLength   | maximum              |
            | maximumTtl            | maximum              |
            | flowEndSeconds        | maximum              |
            | flowEndMilliSeconds   | maximum              |
            | ipv6OptionHeaders     | binary OR            |
            | tcpControlBits        | binary OR            |
            | octetDeltaCount       | sum                  |
            | packetDeltaCount      | sum                  |
            +-----------------------+----------------------+

        Table 1: Treatment of Fields Carrying Metering Information

   Because the export of a meta-flow record requires an appropriate
   template, a one-to-one relationship between rules and templates can
   be established.

4.3  Patterns and Common Properties

   The applicability of an aggregation rule MAY be restricted to flows
   whose Flow Keys match certain patterns.  Thus, patterns act as
   filters that enable the selection of flows and meta-flows that are
   exported to the analyzer.  For example, the pattern "80" can be
   applied to the Flow Key sourceTransportPort in order to export only
   (meta-)flows originated by an HTTP server.  Patterns MUST NOT be used
   in combination with fields that are not part of the Flow Key, such as
   the field types shown in Table 1.

   The defined patterns constitute common properties of the aggregated
   flows.  Furthermore, the common properties are the same for all meta-
   flows resulting from the corresponding aggregation rule.  Common
   properties MAY be exported as regular IPFIX fields.  However, in
   order to reduce redundancy and to make patterns distinguishable from
   other fields, they SHOULD be transmitted as fixed-value fields using
   the Data Template presented in Section 5.3.  Additionally, encoding
   common properties as fixed-value fields make the applied patterns
   visible to the analyzer.

4.4  Rule Semantics

   By default, incoming flow records are checked against all aggregation
   rules.  If a rule matches, i.e. if the flow record comprises all



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 7]


Internet-Draft              IPFIX Aggregation              December 2005


   required fields and matches all given patterns, the field modifiers
   are applied and the corresponding meta-flow record is generated or
   updated.  Therefore, incoming flow records that match multiple rules
   contribute to multiple meta-flows.

   In some cases, it is preferred that an incoming flow record that
   matched a certain rule is not checked against other rules in order to
   avoid that this flow contributes to multiple meta-flows.  Therefore,
   it is possible to indicate a preceding rule for each aggregation
   rule.  If a preceding rule is given, the aggregator tries to
   aggregate an incoming flow according to the preceding rule.  Only if
   the preceding rule is not applicable, e.g. because the incoming flow
   does not match the given pattern, the current rule is applied.  Using
   the preceding rule relationship, rules can be organized in rule
   chains and rule trees where only the first matching rule is applied
   in every chain or branch.  Consequently, each flow record is counted
   at most once per chain or branch.  Rules that do not define a
   preceding rule are used to check all incoming flow records and may
   constitute the beginning of a rule chain or the root of a rule tree.

   The Preceding Rule field in the header of the Data Template (see
   Section 5.3) is used to identify the preceding rule by its Template
   ID.  If this ID is set to 0, there is no preceding rule and the rule
   is checked against all incoming records.

4.5  Example

   Here is an example rule with four aggregation instructions:
   1.  Aggregate
       *  discard sourceTransportPort in 80
       *  keep sourceIPv4Address
       *  mask/24 destinationIPv4Address in 10.10.0.0/16
       *  aggregate packetDeltaCount

   This rule aggregates all flows to a destination address in the subnet
   10.10.0.0/16 with source port equal to 80.  Destination addresses are
   merged according to subnets in 10.10.x.0/24.  The resulting meta-flow
   records comprise the source address, the destination subnet address,
   and the packet counter.

5.  IPFIX Extensions

   After having a rule's field modifiers applied, all flow records that
   matched a rule comprise the same fields, so for each rule exactly one
   template can be used.  In order to efficiently transmit aggregated
   flows, three extensions to IPFIX are proposed:





Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 8]


Internet-Draft              IPFIX Aggregation              December 2005


   o  New abstract data type "ipv4Network"
   o  New abstract data type "portRanges"
   o  New "Data Template" set

5.1  ipv4Network

   Currently, the transport of IP network information as specified by
   IPFIX is done using separate fields for the network address and the
   corresponding mask.  We propose a new abstract data type ipv4Network
   that represents the common notation of IP networks: address/mask.
   The new abstract data type is built of an unsigned32 for the IPv4
   address and (OPTIONAL) an additional octet specifying the prefix
   length.  The encoding of the IPv4 address corresponds to the
   definition of the ipv4Address in the IPFIX Information Model.

   Although using an ipv4Network field instead of two separate fields
   for prefix and mask will not reduce the length of resulting flow
   records, it eases the work of the aggregator: With ipv4Network, the
   comparison of subnet addresses requires only one field lookup per
   record instead of two.  Furthermore, using the abstract data type
   ipv4Network reduces the template size by one field equalling four
   octets.  Applications such as IPFIX Aggregation benefit from
   ipv4Network if network addresses are frequently exported.

5.2  portRanges

   For some applications it might be useful to restrict the
   applicability of an aggregation rule to flows with source or
   destination port being of a specific set of port numbers.  In an
   aggregation rule, such a set of port numbers can be specified as a
   pattern.  However, the current IPFIX Information Model does not
   define any data type that allows transmitting a set of port numbers,
   which is necessary in order to export the pattern as a common
   property of the resulting meta-flows.  Therefore, the new abstract
   data type portRanges for a list of port ranges is defined in this
   section.

   portRanges is a finite length string of unsigned32 values, each
   consisting of an unsigned16 for the first port number followed by an
   unsigned16 for the last port number of the port range. portRanges MAY
   be used as a variable-length data type as defined in [I-D.ietf-ipfix-
   protocol].

   Data types basing on portRanges MAY also be cast down to unsigned16
   to represent a single Port.  Hence, the transportSourcePort and
   transportDestinationPort data types, currently based on the
   unsigned16 abstract data type, MAY be replaced portRanges-based data
   types.



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt     [Page 9]


Internet-Draft              IPFIX Aggregation              December 2005


   Table 2 shows some encoding examples with portRanges.

      +---------------+--------+---------------------------------+
      | Ports         | Length | Hexadecimal Representation      |
      +---------------+--------+---------------------------------+
      | 80            | 2      | 0050                            |
      | 1:7           | 4      | 0001 0007                       |
      | 80, 443       | 8      | 0050 0050 01BB 01BB             |
      | 1:7, 256:1024 | 8      | 0001 0007 0100 0400             |
      | 20, 80, 443   | 12     | 0014 0014 0050 0050 01BB 01BB   |
      | 1:7, 80, 443  | 12     | 0001 0007 0050 0050 01BB 01BB   |
      +---------------+--------+---------------------------------+

                       Table 2: PortRanges Examples


5.3  Data Template

   Section Section 4.3 described how patterns are used to restrict the
   applicability of an aggregation rule and define common properties of
   the resulting meta-flows.  In order to avoid the overhead of the
   repeated transmission of these common properties in all meta-flow
   records resulting from a given rule, the new template type Data
   Template is introduced.  This template type allows the exporter to
   declare common properties to the analyzer.  Additionally, each Data
   Template Record includes a Preceding Rule field that is used to
   inform the analyzer about the semantics of the aggregation rule sets.

   The basic format of a Data Template Set is shown in Figure 3.  It is
   the same as for a Template Set, except that the Set ID is 4.  The
   format of individual Data Template Records, however, differs from
   that of the standard Template and is shown in Figure 4.



















Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 10]


Internet-Draft              IPFIX Aggregation              December 2005


   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          Set ID = 4           |          Length               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Data Template Record 1                    |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                              ...                              |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                     Data Template Record N                    |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                          Padding (opt)                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                    Figure 3: Data Template Set Format

   The Data Template Set field definitions are as follows:
   Set ID
      Type of this template set.  A Set ID value of 4 is proposed for
      the Data Template Set.

   Length
      Total length of this set in bytes.

   Padding
      OPTIONAL padding to fill the set to a word boundary.  It MUST
      consist of null-bytes and be at most seven bytes in length


















Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 11]


Internet-Draft              IPFIX Aggregation              December 2005


   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Template ID                  |  Field Count                  |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Data Count                   |  Preceding Rule               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                       Field 1 Specifier                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                              ...                              |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                       Field N Specifier                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        Data 1 Specifier                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                              ...                              |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                        Data M Specifier                       |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                          Data 1 Value                         |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                              ...                              |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                                                               |
   |                          Data M Value                         |
   |                                                               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                   Figure 4: Data Template Record Format

   The Data Template Record field definitions are as follows:




Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 12]


Internet-Draft              IPFIX Aggregation              December 2005


   Template ID
      Template ID of this Data Template Record.  This value is greater
      than 255.

   Field Count
      Number of regular fields that will be sent in subsequent Data
      Records using this Template.

   Data Count
      Number of fixed-value fields that will be sent in this Template.

   Preceding Rule
      Template ID of the preceding rule that is checked before, or 0 if
      all incoming records are to be checked against this rule.  When a
      Data Template refers to a preceding rule, the Exporter SHOULD make
      sure that the referred Template is also exported in order to
      ensure that the Collector is able to reconstruct the rule order.
      Refer to Section 4.4 for a description of organizing rules in
      chains or trees.

   Field N Specifier
      Information Element identifier, Field length and an Enterprise
      Number (if needed) of field N. Refer to [I-D.ietf-ipfix-protocol]
      for more information on Field Specifiers

   Data M Specifier
      Same as "Field N Specifier", but used for common properties of all
      Data Records of this Template.  Together with Data M Value, a
      similar encoding like TLV (type-length-value) is achieved.

   Data M Value
      Bit representation of a common property as would be transmitted in
      a Data Record.


   Table 3 illustrates the relationship between field modifiers and
   common properties (defined as patterns) on the one hand, and the
   resulting regular and fixed-value fields in the Data Template on the
   other hand.  It can be seen that the analyzer is able to deduce all
   instructions of the aggregation rule considering the structure of the
   Data Template, except the combination "discard without pattern" that
   does not result in any field.









Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 13]


Internet-Draft              IPFIX Aggregation              December 2005


   +----------------+----------------+----------------+----------------+
   | field modifier | pattern        | field in       | fixed-value    |
   |                |                | meta-flow      | field in Data  |
   |                |                | record         | Template       |
   +----------------+----------------+----------------+----------------+
   | discard        | no             | N/A            | N/A            |
   | discard        | yes            | N/A            | yes, contains  |
   |                |                |                | pattern        |
   | keep           | no             | yes            | N/A            |
   | keep           | yes            | yes, if        | yes, contains  |
   |                |                | pattern        | pattern        |
   |                |                | specifies a    |                |
   |                |                | range of       |                |
   |                |                | values         |                |
   | mask           | no             | yes, IP        | N/A            |
   |                |                | network        |                |
   |                |                | address        |                |
   | mask           | yes            | yes, IP        | yes, contains  |
   |                |                | network        | pattern        |
   |                |                | address        |                |
   +----------------+----------------+----------------+----------------+

     Table 3: Relation between field modifiers, meta-flow records, and
                              Data Templates


5.4  Example

   In this example we assume the concentrator was given the following
   aggregation rule:
   1.  Aggregate
       *  discard sourceIPv4Address in 10.0.0.0/23
       *  keep destinatonTransportPort
       *  aggregate packetDeltaCount

   We further assume the concentrator receives the following flow
   records:

   +------------+------------+-------------+-------------+-------------+
   | Source IP  | Source     | Destination | Destination | Packets     |
   |            | Port       | IP          | Port        |             |
   +------------+------------+-------------+-------------+-------------+
   | 10.0.0.1   | 64235      | 10.0.0.10   | 80          | 10          |
   | 10.0.1.2   | 64236      | 10.0.0.11   | 110         | 10          |
   | 10.0.0.3   | 64237      | 10.0.0.12   | 80          | 10          |
   | 10.0.2.4   | 64238      | 10.0.0.13   | 80          | 10          |
   | 10.0.2.5   | 64239      | 10.0.0.14   | 80          | 10          |
   +------------+------------+-------------+-------------+-------------+



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 14]


Internet-Draft              IPFIX Aggregation              December 2005


                          Table 4: Incoming Flows

   Based on the aggregation rule stated above the concentrator would now
   first send a Data Template Set with the Data Template Record
   corresponding to the given rule:

                 +----------------+------------------+
                 | Field          | Value            |
                 +----------------+------------------+
                 | Template ID    | 10001            |
                 | Field Count    | 2                |
                 | Data Count     | 2                |
                 | Preceding Rule | 0                |
                 | Field 1 Type   | Destination Port |
                 | Field 2 Type   | Packets          |
                 | Data 1 Type    | Source IP Prefix |
                 | Data 2 Type    | Source IP Mask   |
                 | Data 1 Value   | 10.0.0.0         |
                 | Data 2 Value   | 23               |
                 +----------------+------------------+

                        Table 5: Data Template used

   In case that the abstract data type ipv4Network was used for a new
   data type Source IP Network, it would look like this:

                 +----------------+-------------------+
                 | Field          | Value             |
                 +----------------+-------------------+
                 | Template ID    | 10001             |
                 | Field Count    | 2                 |
                 | Data Count     | 2                 |
                 | Preceding Rule | 0                 |
                 | Field 1 Type   | Destination Port  |
                 | Field 2 Type   | Packets           |
                 | Data 1 Type    | Source IP Network |
                 | Data 1 Value   | 10.0.0.0/23       |
                 +----------------+-------------------+

                        Table 6: Data Template used

   Secondly, a Data Set of this Data Template is exported containing the
   meta-flows resulting from the given rule.  Note that the flows'
   common property, a source IP address in 10.0.0.0/23, was already
   transmitted in the template.  The exported meta-flow records contain
   the aggregated packet counts and the destination port, which is the
   only discriminating Flow Key property.




Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 15]


Internet-Draft              IPFIX Aggregation              December 2005


                     +------------------+---------+
                     | Destination Port | Packets |
                     +------------------+---------+
                     | 80               | 20      |
                     | 110              | 10      |
                     +------------------+---------+

                         Table 7: Aggregated Flows


6.  Application Examples

6.1  Charging

   Charging applications require separate flow accounting for individual
   end systems.  However, detailed information about all individual
   flows sent or received by the end system is not required.  The
   required level of flow aggregation can be achieved with an
   aggregation rules that discards all Flow Key properties except the IP
   address of the involved end systems.

   The example ruleset can be used for charging end systems in the
   subnet 10.10.0.0/16:
   1.  Aggregate
       *  keep destinationIPv4Address in 10.10.0.0/16
       *  aggregate packetDeltaCount
   2.  Aggregate
       *  keep sourceIPv4Address in 10.10.0.0/16
       *  aggregate packetDeltaCount

   Meta-flow records resulting from the first rule contain packet counts
   of the inbound traffic separated by host IP addresses.  The second
   rule produces the corresponding records for the outbound traffic.
   Protocol and port information is omitted.

6.2  Intrusion Detection

   If flow accounting is employed for intrusion detection, e.g. in order
   to detect denial-of-service attacks, information about the transport
   layer protocol and attacked service, i.e. the destination port, is
   mostly required.  On the other hand, the analysis is typically based
   on flow aggregates exchanged between subnets since processing
   individual flows would require to much processing power.  Detailed
   information about the flows between individual end systems is only
   required if an already detected attack should be analyzed in more
   detail.

   An example ruleset might consist of the following instructions:



Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 16]


Internet-Draft              IPFIX Aggregation              December 2005


   1.  Aggregate
       *  mask/24 destinationIPv4Address in 10.10.0.0/16
       *  mask/24 sourceIPv4Address
       *  keep protocolIdentifier
       *  keep destinationTransportPort
       *  aggregate packetDeltaCount

   Meta-flow records are created for all packets directed to /24 subnets
   in the protected network 10.10.0.0/16.  The destination port and the
   protocol are preserved whereas the source port is discarded.

7.  Security considerations

   As all methods described in this document are merely variations on
   methods already introduced in [I-D.ietf-ipfix-protocol], the same
   rules regarding exchange of flow information apply.

8.  References

8.1  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", March 1997.

8.2  Informative References

   [I-D.ietf-ipfix-architecture]
              Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
              "Architecture for IP Flow Information Export",
              draft-ietf-ipfix-architecture-09 (work in progress),
              August 2005.

   [I-D.ietf-ipfix-protocol]
              Claise, B., "IPFIX Protocol Specifications",
              draft-ietf-ipfix-protocol-19 (work in progress),
              September 2005.

   [I-D.ietf-ipfix-info]
              Quittek, J., Bryant, S., Claise, B., and J. Meyer,
              "Information Model for IP Flow Information Export",
              draft-ietf-ipfix-info-11 (work in progress),
              September 2005.

   [RFC3917]  Quittek, J., Zseby, T., Claise, B., and S. Zander,
              "Requirements for IP Flow Information Export", RFC 3917,
              October 2004.





Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 17]


Internet-Draft              IPFIX Aggregation              December 2005


Authors' Addresses

   Falko Dressler
   University of Erlangen
   Department of Computer Science 7
   Martensstr. 3
   Erlangen  91058
   Germany

   Phone: +49 9131 85-27914
   Email: dressler@informatik.uni-erlangen.de
   URI:   http://www7.informatik.uni-erlangen.de/


   Christoph Sommer
   University of Erlangen
   Department of Computer Science 7
   Martensstr. 3
   Erlangen  91058
   Germany

   Email: sichsomm@stud.informatik.uni-erlangen.de


   Gerhard Muenz
   University of Tuebingen
   Computer Networks and Internet
   Auf der Morgenstelle 10C
   Tuebingen  72076
   Germany

   Phone: +49 7071 29-70534
   Email: muenz@informatik.uni-tuebingen.de
   URI:   http://net.informatik.uni-tuebingen.de/

















Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 18]


Internet-Draft              IPFIX Aggregation              December 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Dressler, et al.    draft-dressler-ipfix-aggregation-02.txt    [Page 19]


Html markup produced by rfcmarkup 1.129b, available from https://tools.ietf.org/tools/rfcmarkup/