[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]
Versions: 00 01 02 03 04 05
Network Working Group F. Dressler
Internet-Draft C. Sommer
Expires: December 26, 2006 University of Erlangen
G. Muenz
University of Tuebingen
June 24, 2006
IPFIX Aggregation
<draft-dressler-ipfix-aggregation-03.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 26, 2006.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
IPFIX Aggregation describes a methodology for reducing the amount of
measurement data exchanged between monitoring devices (IPFIX
exporters) and analyzers (IPFIX collectors). Using aggregation
techniques, measurement information of multiple similar flows is
aggregated into one compound flow aggregate. Subsets of flows
eligible for aggregation, as well as the degree of similarity, can be
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 1]
Internet-Draft IPFIX Aggregation June 2006
customized using aggregation rules.
To ensure efficient communication of both aggregated flows and the
aggregation rules used, the IPFIX Protocol and IPFIX Information
Model are slightly extended to allow for two new abstract data types
and a new type of template set.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.1 Aggregation Rules . . . . . . . . . . . . . . . . . . . . 5
4.2 Field Modifiers . . . . . . . . . . . . . . . . . . . . . 6
4.3 Patterns and Common Properties . . . . . . . . . . . . . . 7
4.4 Rule Semantics . . . . . . . . . . . . . . . . . . . . . . 8
4.5 Example . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. IPFIX Extensions . . . . . . . . . . . . . . . . . . . . . . . 9
5.1 ipv4Network . . . . . . . . . . . . . . . . . . . . . . . 9
5.2 portRanges . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Data Template . . . . . . . . . . . . . . . . . . . . . . 10
5.4 Example . . . . . . . . . . . . . . . . . . . . . . . . . 14
6. Application Examples . . . . . . . . . . . . . . . . . . . . . 16
6.1 Charging . . . . . . . . . . . . . . . . . . . . . . . . . 16
6.2 Intrusion Detection . . . . . . . . . . . . . . . . . . . 16
7. Security considerations . . . . . . . . . . . . . . . . . . . 17
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
8.1 Normative References . . . . . . . . . . . . . . . . . . . 17
8.2 Informative References . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . . 19
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 2]
Internet-Draft IPFIX Aggregation June 2006
1. Introduction
Flow measurement in high-speed large-scale networks easily produces a
huge amount of data that can not be handled by a single IPFIX
collector or analyzer. Also, many applications processing flow
measurement data do not require detailed flow-level information but
only information about flow aggregates, where the quality and level
of flow aggregation is very application-specific. This document
presents a flexible flow aggregation scheme that helps both, reducing
the number and size of exported flow records and adapting the
transmitted measurement information to the requirements of the
application. These goals are achieved by discarding unneeded
measurement information and merging multiple individual flows into a
smaller number of compound flow aggregates before the remaining
measurement data is exported to the analyzer. The following sections
show how to design and implement IPFIX aggregators and introduce
appropriate extensions to the IPFIX protocol.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. Terminology
Apart from the basic terms as defined in [RFC3917], [I-D.ietf-ipfix-
protocol], and [I-D.ietf-ipfix-architecture], the following terms are
used within this document:
Flow aggregate:
A flow aggregate contains information on one or multiple
individual flows. It MAY contain the total count of all packets
that belong to the same flow aggregate and were observed within a
given time interval. Flow properties that were discarded during
flow aggregation are no longer contained in the flow record.
Aggregation rule:
An aggregation rule defines the properties of a flow aggregate and
the content of the corresponding flow record. Optionally, a set
of common properties MAY be specified in order to restrict the
applicability of the rule to those flows that show certain
patterns.
Data Template:
A Data Template, as proposed in Section 5.3, SHOULD be used to
define the structure of the flow record and to inform the analyzer
about the applied aggregation rule and the common properties.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 3]
Internet-Draft IPFIX Aggregation June 2006
3. Architecture
Aggregation of measurement data may take place at two possible
stages:
o An internal aggregator, as depicted in Figure 1, is implemented as
a process running in an IPFIX enabled device. It aggregates flow
data generated by multiple metering processes and exports them as
a flow aggregate. In practical implementations, metering and
aggregation MAY be performed in a single step in order to reduce
the number of retained state information.
+---------------------------------------------+ +--------------+
| IPFIX-enabled device .---. .------. | | |
| .--------------------. | A | | | | .-->| Analyzer |
| | Metering Process 1 |-. | g | | E | | | | |
| `--------------------' | | g | | x P | | | +--------------+
| | | r | | p r |---'
| . '-->| e | | o o | |
| . | g |-->| r c | |
| . .-->| a | | t e | |
| | | t | | i s |---.
| .--------------------. | | i | | n s | | | +--------------+
| | Metering Process N |-' | o | | g | | | | |
| `--------------------' | n | | | | '-->| Concentrator |
| `---' `------' | | |
+---------------------------------------------+ +--------------+
Figure 1: Internal Aggregation
o An external aggregator, called concentrator in IPFIX terminology,
may be used where the deployed monitoring devices cannot be
modified to incorporate an internal aggregator. Furthermore,
concentrators enable cascaded, multi-level aggregation of flow
information. As shown in Figure 2, a concentrator receives flow
records from monitoring devices and/or lower-level concentrators
and exports the flow aggregate information to higher-level
concentrators and/or analyzers.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 4]
Internet-Draft IPFIX Aggregation June 2006
+------------+ +-----------------------------+ +------------+
| | | Concentrator | | |
|Concentrator|-. | .------. .---. .------. | .->| Analyzer |
| | | | | C | | A | | E | | | | |
+------------+ | | | o P | | g | | x P | | | +------------+
'--->| l r | | g | | p r |---'
| | l o | | r | | o o | |
| | e c |-->| e |-->| r c | |
| | c e | | g | | t e | |
| | t s | | a | | i s | |
.--->| i s | | t | | n s |---.
+------------+ | | | n s | | i | | g s | | | +------------+
| | | | | g | | o | | | | | | |
|IPFIX device|-' | | | | n | | | | '->|Concentrator|
| | | `------' `---' `------' | | |
+------------+ +-----------------------------+ +------------+
Figure 2: External Aggregation
4. Methodology
4.1 Aggregation Rules
Regarding the configuration of the aggregator, a rule-based approach
is proposed. A list of user-defined aggregation rules is supplied to
the aggregator. An aggregation rule consists of multiple aggregation
instructions, one for each IPFIX field that is to be considered. An
aggregation instruction comprises the following elements:
o The IPFIX field the aggregation instruction refers to (e.g.
destinationIPv4Address). Only flows that contain the field
mentioned will be considered for aggregation.
o One of the field modifiers "discard", "keep", "mask", or
"aggregate" that specifies how this field is treated by the
aggregator and whether it is included in the flow record or not.
o An OPTIONAL pattern for this field that restricts the aggregation
to those flows that match the given value(s) (e.g. 10.10.0.0/16).
Only flows that match all patterns of the rule will be aggregated.
With this definition of aggregation instructions each rule
unambiguously defines the content of the flow record as well as the
template to export the flow aggregate information. If a field is
present in the flow record and how it is encoded depends on the field
modifier. This behavior is explained in Section 4.2. Fields that do
not appear in any of the aggregation instructions are not part of the
flow record. The usage of patterns in order to define common
properties is explained in Section 4.3.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 5]
Internet-Draft IPFIX Aggregation June 2006
Because the export of a flow record requires an appropriate template,
a one-to-one relationship between rules and templates can be
established. If a one-to-one relationship between rules and
templates exits, Template Ids can serve as identifiers for the
corresponding aggregation rule (see also Section 4.4).
4.2 Field Modifiers
The following field modifiers are applicable to fields that Flow Keys
of incoming flow records as defined in [I-D.ietf-ipfix-architecture].
Depending on the field modifier, these fields can serve as Flow Keys
of the resulting flow records. For incoming flows as well as for
outgoing flow aggregates, the usage of the flowKeyIndicator is
recommended for identification of the Flow Keys.
discard:
The field is not included in the flow records and is no longer a
Flow Key, i.e. flow aggregates are not distinguishable with
respect to this field. Incoming flow records with different
values for this IPFIX field are merged.
keep:
The field remains Flow Key and is included in the flow record,
i.e. flow aggregates are distinguishable with respect to this
field. Incoming flow records with different values for this field
are not merged, but contribute to different flow aggregates
instead.
mask/n (applicable to IP addresses only):
The field is included in the flow record, but the number of
significant bits is reduced to n bits. Incoming flow records with
IP addresses belonging to the same subnet are merged, so flow
aggregates are distinguishable with respect to resulting subnet
addresses only. In accordance with the IPFIX Information Model,
the resulting subnet address MAY be encoded with a IP prefix field
and a IP mask field. It SHOULD, however, be encoded with a single
field of the new abstract data type "ipv4Network" as proposed in
Section 5.1. Independently from the encoding, the corresponding
field identifying the subnet address becomes Flow Key of the flow
aggregate.
In order to define a field in the flow record that does not serve as
Flow Key (typically a time stamp or a count), the field modifier
"aggregate" MUST be applied. Apart from being present in incoming
records, there are no restrictions to the fields, i.e. they can be
Flow Keys or non-Flow Keys of the original flows.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 6]
Internet-Draft IPFIX Aggregation June 2006
aggregate:
The field is included in the flow record but does not serve as
Flow Key. The value for this field is derived from the
corresponding values of the original flows. As also specified in
[I-D.ietf-ipfix-info] for fields for which the value may change
from packet to packet within a single flow, the value is
determined by the first packet observed for the corresponding flow
aggregate, unless a different semantic is explicitly specified for
this Information Element. As a consequence, the value of the
incoming record with the earliest start timestamp is used by
default. For some Information Elements, however, a specific
aggregation function is specified that has to be applied in order
to get the correct value. For example, the start timestamp of the
flow aggregate has to be set to the minimum of the original start
timestamps, while packet and octet counts of aggregated flows are
summed up. Table 1 gives an overview of such Information Elements
that require a specific aggregation function. Refer to the IPFIX
Information Model [I-D.ietf-ipfix-info] for a description of the
mentioned fields.
+-----------------------+----------------------+
| Information Element | Aggregation Function |
+-----------------------+----------------------+
| minimumPacketLength | minimum |
| minimumTtl | minimum |
| flowStartSeconds | minimum |
| flowStartMilliSeconds | minimum |
| maximumPacketLength | maximum |
| maximumTtl | maximum |
| flowEndSeconds | maximum |
| flowEndMilliSeconds | maximum |
| octetDeltaCount | sum |
| packetDeltaCount | sum |
+-----------------------+----------------------+
Table 1: Treatment of Fields Carrying Metering Information
4.3 Patterns and Common Properties
The applicability of an aggregation rule MAY be restricted to flows
whose Flow Keys' values match certain patterns. Thus, patterns act
as filters that enable the selection of flows and flow aggregates
that are exported to the analyzer. For example, the pattern "80" can
be applied to the Flow Key sourceTransportPort in order to export
only (meta-)flows originated by an HTTP server. Patterns MUST NOT be
used in combination with fields that are not Flow Key.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 7]
Internet-Draft IPFIX Aggregation June 2006
The defined patterns constitute common properties of the aggregated
flows. Furthermore, the common properties are the same for all flow
aggregates resulting from the corresponding aggregation rule. Common
properties MAY be exported as regular IPFIX fields. However, in
order to reduce redundancy and to make patterns distinguishable from
other fields, they SHOULD be transmitted as fixed-value fields using
the Data Template presented in Section 5.3. Additionally, encoding
common properties as fixed-value fields make the applied patterns
visible to the analyzer.
4.4 Rule Semantics
By default, incoming flow records are checked against all aggregation
rules. If a rule matches, i.e. if the flow record comprises all
required fields and matches all given patterns, the field modifiers
are applied and the corresponding flow record is generated or
updated. Therefore, incoming flow records that match multiple rules
contribute to multiple flow aggregates.
In some cases, it is preferred that an incoming flow record that
matched a certain rule is not checked against other rules in order to
avoid that this flow contributes to multiple flow aggregates.
Therefore, it is possible to indicate a preceding rule for each
aggregation rule. If a preceding rule is given, the aggregator tries
to aggregate an incoming flow according to the preceding rule. Only
if the preceding rule is not applicable, e.g. because the incoming
flow does not match the given pattern, the current rule is applied.
Using the preceding rule relationship, rules can be organized in rule
chains and rule trees where only the first matching rule is applied
in every chain or branch. Consequently, each flow record is counted
at most once per chain or tree. Rules that do not define a preceding
rule are used to check all incoming flow records and may constitute
the beginning of a rule chain or the root of a rule tree.
The Preceding Rule field in the header of the Data Template (see
Section 5.3) is used to identify the preceding rule by its Template
ID. If this ID is set to 0, there is no preceding rule and the rule
is checked against all incoming records.
4.5 Example
Here is an example rule with four aggregation instructions:
1. Aggregate
* discard sourceTransportPort in 80
* keep sourceIPv4Address
* mask/24 destinationIPv4Address in 10.10.0.0/16
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 8]
Internet-Draft IPFIX Aggregation June 2006
* aggregate packetDeltaCount
This rule aggregates all flows containing at least
sourceTransportPort, sourceIPv4Address, destinationIPv4Address and
packetDeltaCount. In addition, the destination address must be in
the subnet 10.10.0.0/16 and the source port must be equal to 80.
Destination addresses are merged according to subnets in
10.10.x.0/24. The resulting flow records comprise the source
address, the destination subnet address, and the packet counter. The
two patterns for sourceTransportPort and destinationIPv4Address are
exported as fixed-value fields with the template if the Data Template
specified in Section 5.3 is used. Flow that are not covered by any
aggregation rule are discarded.
5. IPFIX Extensions
After having a rule's field modifiers applied, all flow records that
matched a rule comprise the same fields, so for each rule exactly one
template can be used. In order to efficiently transmit aggregated
flows, three extensions to IPFIX are proposed:
o New abstract data type "ipv4Network"
o New abstract data type "portRanges"
o New "Data Template" set
5.1 ipv4Network
Currently, the transport of IP network information as specified by
IPFIX is done using separate fields for the network address and the
corresponding mask. We propose a new abstract data type ipv4Network
that represents the common notation of IP networks: address/mask.
The new abstract data type is built of an unsigned32 for the IPv4
address and (OPTIONAL) an additional octet specifying the prefix
length. The encoding of the IPv4 address corresponds to the
definition of the ipv4Address in the IPFIX Information Model.
Although using an ipv4Network field instead of two separate fields
for prefix and mask will not reduce the length of resulting flow
records, it eases the work of the aggregator: With ipv4Network, the
comparison of subnet addresses requires only one field lookup per
record instead of two. Furthermore, using the abstract data type
ipv4Network reduces the template size by one field equalling four
octets. Applications such as IPFIX Aggregation benefit from
ipv4Network if network addresses are frequently exported.
5.2 portRanges
For some applications it might be useful to restrict the
applicability of an aggregation rule to flows with source or
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 9]
Internet-Draft IPFIX Aggregation June 2006
destination port being of a specific set of port numbers. In an
aggregation rule, such a set of port numbers can be specified as a
pattern. However, the current IPFIX Information Model does not
define any data type that allows transmitting a set of port numbers,
which is necessary in order to export the pattern as a common
property of the resulting flow aggregates. Therefore, the new
abstract data type portRanges for a list of port ranges is defined in
this section.
portRanges is a finite length string of unsigned32 values, each
consisting of an unsigned16 for the first port number followed by an
unsigned16 for the last port number of the port range. portRanges MAY
be used as a variable-length data type as defined in [I-D.ietf-ipfix-
protocol].
Data types basing on portRanges MAY also be cast down to unsigned16
using reduced size encoding to represent a single Port. Hence, the
transportSourcePort and transportDestinationPort data types,
currently based on the unsigned16 abstract data type, MAY be replaced
portRanges-based data types.
Table 2 shows some encoding examples with portRanges.
+---------------+--------+---------------------------------+
| Ports | Length | Hexadecimal Representation |
+---------------+--------+---------------------------------+
| 80 | 2 | 0050 |
| 1:7 | 4 | 0001 0007 |
| 80, 443 | 8 | 0050 0050 01BB 01BB |
| 1:7, 256:1024 | 8 | 0001 0007 0100 0400 |
| 20, 80, 443 | 12 | 0014 0014 0050 0050 01BB 01BB |
| 1:7, 80, 443 | 12 | 0001 0007 0050 0050 01BB 01BB |
+---------------+--------+---------------------------------+
Table 2: PortRanges Examples
5.3 Data Template
Section Section 4.3 described how patterns are used to restrict the
applicability of an aggregation rule and define common properties of
the resulting flow aggregates. In order to avoid the overhead of the
repeated transmission of these common properties in all flow records
resulting from a given rule, the new template type Data Template is
introduced. This template type allows the exporting process to
declare common properties to the analyzer. Additionally, each Data
Template Record includes a Preceding Rule field that is used to
inform the analyzer about the semantics of the aggregation rule sets.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 10]
Internet-Draft IPFIX Aggregation June 2006
The basic format of a Data Template Set is shown in Figure 3. It is
the same as for a Template Set, except that the Set ID is 4. The
format of individual Data Template Records, however, differs from
that of the standard Template and is shown in Figure 4.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Set ID = 4 | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data Template Record 1 |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| ... |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data Template Record N |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Padding (opt) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 3: Data Template Set Format
The Data Template Set field definitions are as follows:
Set ID
Type of this template set. A Set ID value of 4 is proposed for
the Data Template Set.
Length
Total length of this set in bytes.
Padding
OPTIONAL padding to fill the set to a word boundary. It MUST
consist of null-bytes and be at most seven bytes in length
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 11]
Internet-Draft IPFIX Aggregation June 2006
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Template ID | Field Count |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data Count | Preceding Rule |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Field 1 Specifier |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| ... |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Field N Specifier |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data 1 Specifier |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| ... |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data M Specifier |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data 1 Value |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| ... |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Data M Value |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 4: Data Template Record Format
The Data Template Record field definitions are as follows:
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 12]
Internet-Draft IPFIX Aggregation June 2006
Template ID
Template ID of this Data Template Record. This value is greater
than 255.
Field Count
Number of regular fields that will be sent in subsequent Data
Records using this Template.
Data Count
Number of fixed-value fields that will be sent in this Template.
Preceding Rule
Template ID of the preceding rule that is checked before, or 0 if
all incoming records are to be checked against this rule. When a
Data Template refers to a preceding rule, the exporting process
SHOULD make sure that the referred Template is also exported in
order to ensure that the collecting process is able to reconstruct
the rule order. Refer to Section 4.4 for a description of
organizing rules in chains or trees.
Field N Specifier
Information Element identifier, Field length and an Enterprise
Number (if needed) of field N. Refer to [I-D.ietf-ipfix-protocol]
for more information on Field Specifiers
Data M Specifier
Same as "Field N Specifier", but used for common properties of all
Data Records of this Template. Together with Data M Value, a
similar encoding like TLV (type-length-value) is achieved.
Data M Value
Bit representation of a common property as would be transmitted in
a Data Record.
Table 3 illustrates the relationship between field modifiers and
common properties (defined as patterns) on the one hand, and the
resulting regular and fixed-value fields in the Data Template on the
other hand. It can be seen that the analyzer is able to deduce all
instructions of the aggregation rule considering the structure of the
Data Template, except the combination "discard without pattern" that
does not result in any field.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 13]
Internet-Draft IPFIX Aggregation June 2006
+----------------+----------------+----------------+----------------+
| field modifier | pattern | field in flow | fixed-value |
| | | record | field in Data |
| | | | Template |
+----------------+----------------+----------------+----------------+
| discard | no | N/A | N/A |
| discard | yes | N/A | yes, contains |
| | | | pattern |
| keep | no | yes | N/A |
| keep | yes | yes, if | yes, contains |
| | | pattern | pattern |
| | | specifies a | |
| | | range of | |
| | | values | |
| mask | no | yes, IP | N/A |
| | | network | |
| | | address | |
| mask | yes | yes, IP | yes, contains |
| | | network | pattern |
| | | address | |
+----------------+----------------+----------------+----------------+
Table 3: Relation between field modifiers, flow records, and Data
Templates
5.4 Example
In this example we assume the concentrator was given the following
aggregation rule:
1. Aggregate
* discard sourceIPv4Address in 10.0.0.0/23
* keep destinatonTransportPort
* aggregate packetDeltaCount
We further assume the concentrator receives the following flow
records:
+------------+------------+-------------+-------------+-------------+
| Source IP | Source | Destination | Destination | Packets |
| | Port | IP | Port | |
+------------+------------+-------------+-------------+-------------+
| 10.0.0.1 | 64235 | 10.0.0.10 | 80 | 10 |
| 10.0.1.2 | 64236 | 10.0.0.11 | 110 | 10 |
| 10.0.0.3 | 64237 | 10.0.0.12 | 80 | 10 |
| 10.0.2.4 | 64238 | 10.0.0.13 | 80 | 10 |
| 10.0.2.5 | 64239 | 10.0.0.14 | 80 | 10 |
+------------+------------+-------------+-------------+-------------+
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 14]
Internet-Draft IPFIX Aggregation June 2006
Table 4: Incoming Flows
Based on the aggregation rule stated above the concentrator would now
first send a Data Template Set with the Data Template Record
corresponding to the given rule:
+----------------+------------------+
| Field | Value |
+----------------+------------------+
| Template ID | 10001 |
| Field Count | 2 |
| Data Count | 2 |
| Preceding Rule | 0 |
| Field 1 Type | Destination Port |
| Field 2 Type | Packets |
| Data 1 Type | Source IP Prefix |
| Data 2 Type | Source IP Mask |
| Data 1 Value | 10.0.0.0 |
| Data 2 Value | 23 |
+----------------+------------------+
Table 5: Data Template used
In case that the abstract data type ipv4Network was used for a new
data type Source IP Network, it would look like this:
+----------------+-------------------+
| Field | Value |
+----------------+-------------------+
| Template ID | 10001 |
| Field Count | 2 |
| Data Count | 2 |
| Preceding Rule | 0 |
| Field 1 Type | Destination Port |
| Field 2 Type | Packets |
| Data 1 Type | Source IP Network |
| Data 1 Value | 10.0.0.0/23 |
+----------------+-------------------+
Table 6: Data Template used
Secondly, a Data Set of this Data Template is exported containing the
flow aggregates resulting from the given rule. Note that the flows'
common property, a source IP address in 10.0.0.0/23, was already
transmitted in the template. The exported flow records contain the
aggregated packet counts and the destination port, which is the only
discriminating Flow Key property.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 15]
Internet-Draft IPFIX Aggregation June 2006
+------------------+---------+
| Destination Port | Packets |
+------------------+---------+
| 80 | 20 |
| 110 | 10 |
+------------------+---------+
Table 7: Aggregated Flows
6. Application Examples
6.1 Charging
Charging applications require separate flow accounting for individual
end systems. However, detailed information about all individual
flows sent or received by the end system is not required. The
required level of flow aggregation can be achieved with an
aggregation rules that discards all Flow Key properties except the IP
address of the involved end systems.
The example ruleset can be used for charging end systems in the
subnet 10.10.0.0/16:
1. Aggregate
* keep destinationIPv4Address in 10.10.0.0/16
* aggregate packetDeltaCount
2. Aggregate
* keep sourceIPv4Address in 10.10.0.0/16
* aggregate packetDeltaCount
flow records resulting from the first rule contain packet counts of
the inbound traffic separated by host IP addresses. The second rule
produces the corresponding records for the outbound traffic.
Protocol and port information is omitted.
6.2 Intrusion Detection
If flow accounting is employed for intrusion detection, e.g. in order
to detect denial-of-service attacks, information about the transport
layer protocol and attacked service, i.e. the destination port, is
mostly required. On the other hand, the analysis is typically based
on flow aggregates exchanged between subnets since processing
individual flows would require to much processing power. Detailed
information about the flows between individual end systems is only
required if an already detected attack should be analyzed in more
detail.
An example ruleset might consist of the following instructions:
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 16]
Internet-Draft IPFIX Aggregation June 2006
1. Aggregate
* mask/24 destinationIPv4Address in 10.10.0.0/16
* mask/24 sourceIPv4Address
* keep protocolIdentifier
* keep destinationTransportPort
* aggregate packetDeltaCount
flow records are created for all packets directed to /24 subnets in
the protected network 10.10.0.0/16. The destination port and the
protocol are preserved whereas the source port is discarded.
7. Security considerations
As all methods described in this document are merely variations on
methods already introduced in [I-D.ietf-ipfix-protocol], the same
rules regarding exchange of flow information apply.
8. References
8.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
8.2 Informative References
[I-D.ietf-ipfix-architecture]
Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek,
"Architecture for IP Flow Information Export",
draft-ietf-ipfix-architecture-11 (work in progress),
June 2006.
[I-D.ietf-ipfix-protocol]
Claise, B., "IPFIX Protocol Specifications",
draft-ietf-ipfix-protocol-22 (work in progress),
June 2006.
[I-D.ietf-ipfix-info]
Quittek, J., Bryant, S., Claise, B., and J. Meyer,
"Information Model for IP Flow Information Export",
draft-ietf-ipfix-info-12 (work in progress), June 2006.
[RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander,
"Requirements for IP Flow Information Export", RFC 3917,
October 2004.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 17]
Internet-Draft IPFIX Aggregation June 2006
Authors' Addresses
Falko Dressler
University of Erlangen
Department of Computer Science 7
Martensstr. 3
Erlangen 91058
Germany
Phone: +49 9131 85-27914
Email: dressler@informatik.uni-erlangen.de
URI: http://www7.informatik.uni-erlangen.de/
Christoph Sommer
University of Erlangen
Department of Computer Science 7
Martensstr. 3
Erlangen 91058
Germany
Email: sichsomm@stud.informatik.uni-erlangen.de
Gerhard Muenz
University of Tuebingen
Computer Networks and Internet
Auf der Morgenstelle 10C
Tuebingen 72076
Germany
Phone: +49 7071 29-70534
Email: muenz@informatik.uni-tuebingen.de
URI: http://net.informatik.uni-tuebingen.de/
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 18]
Internet-Draft IPFIX Aggregation June 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Dressler, et al. draft-dressler-ipfix-aggregation-03.txt [Page 19]
Html markup produced by rfcmarkup 1.129d, available from
https://tools.ietf.org/tools/rfcmarkup/