IPFIX Working Group A. Kobayashi Internet-Draft H. Nishida Intended status: Informational NTT PF Lab. Expires: August 15, 2009 B. Claise Cisco Systems February 11, 2009 IPFIX Mediation: Framework draft-ietf-ipfix-mediators-framework-02 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 15, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Kobayashi, et al. Expires August 15, 2009 [Page 1] Internet-Draft IPFIX Mediation Framework February 2009 Abstract This document describes a framework for IPFIX Mediation. This framework details the IPFIX Mediation reference model and the components of an IPFIX Mediator. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Definition . . . . . . . . . . . . . . . . . . 4 3. IPFIX/PSAMP Documents Overview . . . . . . . . . . . . . . . . 6 3.1. IPFIX Documents Overview . . . . . . . . . . . . . . . . . 6 3.2. PSAMP Documents Overview . . . . . . . . . . . . . . . . . 6 4. IPFIX Mediation Reference Model . . . . . . . . . . . . . . . 7 5. IPFIX Mediation Functional and Logical Blocks . . . . . . . . 10 5.1. Collecting Process . . . . . . . . . . . . . . . . . . . . 10 5.2. Exporting Process . . . . . . . . . . . . . . . . . . . . 10 5.3. Intermediate Process . . . . . . . . . . . . . . . . . . . 10 5.3.1. Selection Function . . . . . . . . . . . . . . . . . . 10 5.3.2. Aggregation Function . . . . . . . . . . . . . . . . . 12 5.3.3. Correlation Function . . . . . . . . . . . . . . . . . 13 5.3.4. Modification Function . . . . . . . . . . . . . . . . 14 5.4. IPFIX File Writer/Reader . . . . . . . . . . . . . . . . . 15 5.5. Flow Expiration . . . . . . . . . . . . . . . . . . . . . 16 5.6. Information Model . . . . . . . . . . . . . . . . . . . . 17 5.7. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 17 6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 8.1. Normative References . . . . . . . . . . . . . . . . . . . 21 8.2. Informative References . . . . . . . . . . . . . . . . . . 22 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24 Kobayashi, et al. Expires August 15, 2009 [Page 2] Internet-Draft IPFIX Mediation Framework February 2009 1. Introduction IPFIX Mediation has two classes of mediation: context mediation for traffic data and transport mediation for transport protocols that do not affect content. Context mediation aggregates, correlates, filters, or modifies Data Records. Transport mediation changes the transport protocol that carries IPFIX Messages. This document describes the framework for IPFIX Mediation. The motivation for the IPFIX Mediation standard comes from the need for functional blocks supporting IP traffic growth, multifaceted traffic measurement, and a heterogeneous environment, as described in detail in [I-D.ietf-ipfix-mediator-ps]. The standard specification requires a definition of IPFIX Mediation and IPFIX Mediator. This document is organized as follows. Section 2 defines terminology related to IPFIX Mediation. Section 3 describes a high level reference model. Section 4 details the components of the IPFIX Mediator. Kobayashi, et al. Expires August 15, 2009 [Page 3] Internet-Draft IPFIX Mediation Framework February 2009 2. Terminology and Definition The terms in this section are in line with those in the IPFIX Protocol specifications [RFC5101] and the PSAMP specification document [I-D.ietf-psamp-protocol]. The terms Observation Point, Observation Domain, Flow Key, Flow Record, Exporting Process, Exporter, IPFIX Device, Collecting Process, Collector, IPFIX Message, Metering Process, and Information Element are defined in the IPFIX protocol specifications [RFC5101], the term Packet Report is defined in the PSAMP specification document [I-D.ietf-psamp-protocol], and the terms IPFIX Mediation, IPFIX Mediator, Original Exporter, IPFIX Proxy, IPFIX Concentrator, IPFIX Distributor, IPFIX Masquerading Proxy are defined in the IPFIX Mediation problem statement document [I-D.ietf-ipfix-mediator-ps]. Additional terms required for the IPFIX Mediation are defined here. All these terms have an initial capital letter in this document. Intermediate Process An Intermediate Process generates new sets of Data Records/ Template Records from input Data Records/Template Records. Mediator Observation Domain A Mediator Observation Domain indicates the largest set of Observation Points from the viewpoint of a Collector, and a Mediator Observation Domain ID is used in an IPFIX Message header, such as the Observation Domain ID in [RFC5101]. However, the Mediator Observation Domain ID may not indicate the physical entity of an Original Exporter. For example, the value may indicate the set of Exporters or set of line cards in an Exporter. The Mediator Observation Domain ID is 0 when an IPFIX Masquerading Proxy screens out the Mediator Observation Domain ID. [Note] [RFC5101] mentions that the Observation Domain ID should be 0 when no specific Observation Domain ID is relevant for the entire IPFIX Message, in the case of a hierarchy of Collectors when aggregated Data Records are exported. However, even in the case of aggregation, the IPFIX Mediator can set a meaningful value. This shows the conflict between Observation Domain ID and Mediator Observation Domain ID. Transport Session Information The Transport Session is specified in [RFC5101]. In SCTP, the Transport Session Information is the SCTP association. In TCP and UDP, the Transport Session Information corresponds to a 5-tuple Kobayashi, et al. Expires August 15, 2009 [Page 4] Internet-Draft IPFIX Mediation Framework February 2009 {Exporter IP address, Collector IP address, Exporter transport port, Collector transport port, and transport protocol}. Kobayashi, et al. Expires August 15, 2009 [Page 5] Internet-Draft IPFIX Mediation Framework February 2009 3. IPFIX/PSAMP Documents Overview 3.1. IPFIX Documents Overview The IPFIX protocol [RFC5101] provides network administrators with access to IP flow information. The architecture for the export of measured IP flow information out of an IPFIX Exporting Process to a Collecting Process is defined in [I-D.ietf-ipfix-architecture], per the requirements defined in [RFC3917]. The IPFIX protocol [RFC5101] specifies how IPFIX Data Records and Templates are carried via a number of transport protocols from IPFIX Exporting Processes to IPFIX Collecting Processes. IPFIX has a formal description of IPFIX Information Elements, their names, types, and additional semantic information, as specified in [RFC5102]. [I-D.ietf-ipfix-mib] specifies the IPFIX Management Information Base. Finally, [I-D.ietf-ipfix-as] describes what types of applications can use the IPFIX protocol and how they can use the information provided. It furthermore shows how the IPFIX framework relates to other architectures and frameworks. The storage of IPFIX Messages in a file is specified in [I-D.ietf-ipfix-file]. 3.2. PSAMP Documents Overview The framework for packet selection and reporting [I-D.ietf-psamp-framework] enables network elements to select subsets of packets by statistical and other methods and to export a stream of reports on the selected packets to a Collector. The set of packet selection techniques (sampling, filtering, and hashing) standardized by PSAMP is described in [I-D.ietf-psamp-sample-tech]. The PSAMP protocol [I-D.ietf-psamp-protocol] specifies the export of packet information from a PSAMP Exporting Process to a Collector. Like IPFIX, PSAMP has a formal description of its Information Elements, their names, types, and additional semantic information. The PSAMP information model is defined in [I-D.ietf-psamp-info]. [I-D.ietf-psamp-mib] describes the PSAMP Management Information Base. Kobayashi, et al. Expires August 15, 2009 [Page 6] Internet-Draft IPFIX Mediation Framework February 2009 4. IPFIX Mediation Reference Model The figure below shows the high-level reference model for IPFIX Mediation based on [I-D.ietf-ipfix-architecture]. This figure covers the various possible scenarios that can exist in an IPFIX measurement system. +---------------------------+ +---------------------------+ | Collector {l} | | Collector {k} | |[*Application(s)] | |[*Application(s)] | |[Collecting Process(es)] |....|[Collecting Process(es)] | +---------------------------+ +---------------------------+ ^ ^ ^ ^ | | | | | +------....----+ | | | | IPFIX (Flow Records / Packet Reports) | | | +----------------+----+-----+ +-------+-------------------+ |IPFIX Mediator {j} | |IPFIX Mediator {n} | |[*Applications(s)] | |[*Applications(s)] | |[Exporting Process(es)] | |[Exporting Process(es)] | |[Intermediate Process(es)] |....|[Intermediate Process(es)] | |[Collecting Process(es)] | |[Collecting Process(es)] | +---------------------------+ +---------------------------+ ^ ^ ^ | | | | +------....-----+ | | IPFIX (Flow Records / Packet Reports) | | +----------------+----------+ +----+----------------------+ |IPFIX Original Exporter {i}| |IPFIX Original Exporter {m}| |[Exporting Process(es)] | |[Exporting Process(es)] | |[Metering Process(es)] |....|[Metering Process(es)] | |[Observation Point(s)] | |[Observation Point(s)] | +---------------------------+ +---------------------------+ ^ ^ ^ ^ | | | | Packets coming to Observation Points Figure A: Reference Model for IPFIX Mediation. The various functional components are indicated within brackets []. The functional components within [*] are not part of this document Kobayashi, et al. Expires August 15, 2009 [Page 7] Internet-Draft IPFIX Mediation Framework February 2009 and [I-D.ietf-ipfix-architecture]. The figure below shows the basic IPFIX Mediator component model. The IPFIX Mediator is formally defined as consisting of one or more Collecting Processes, zero or more Intermediate Processes, and one or more Exporting Processes. Basically, the IPFIX Mediator devices, i.e., IPFIX Proxy, IPFIX Masquerading Proxy, IPFIX Distributor, and IPFIX Concentrator, described in [I-D.ietf-ipfix-mediator-ps] are composed of these components. IPFIX (Flow Records / Packet Reports) ^ ^ | +------------------------|-|---------------------+ | IPFIX Mediator | | | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Exporting Process(es) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Intermediate Process(es) (optional) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Collecting Process(es) |' | | '----------------------^--------------------' | +------------------------|-|---------------------+ | IPFIX (Flow Records / Packet Reports) Figure B: IPFIX Mediator Basic Component Model. An Original Exporter with an IPFIX Mediation is modeled as follows. Kobayashi, et al. Expires August 15, 2009 [Page 8] Internet-Draft IPFIX Mediation Framework February 2009 IPFIX (Flow Records / Packet Reports) ^ ^ +---------------------------|-|------------------------+ | Original Exporter | | | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Exporting Process(es) |' | | '----------------------^--------------------' | | | | | | .---------------------|-+-------------------. | | .----------------------+--------------------.| | | | Intermediate Process(es) |' | | '---------^-----------------------^---------' | | |Flow Record or | | | | Packet Reports | | | .------------+----------. .---------+-------------. | | | Metering Process {i} |..| Metering Process {n} | | | '------------^----------' '---------^-------------' | | | | | | .------------+----------. .---------+-------------. | | | Observation Point {i} |..| Observation Point {n} | | | '------------^----------' '---------^-------------' | +--------------|-----------------------|---------------+ | | Packets coming to Observation Points Figure C: Component Model for Original Exporter with Mediation. Kobayashi, et al. Expires August 15, 2009 [Page 9] Internet-Draft IPFIX Mediation Framework February 2009 5. IPFIX Mediation Functional and Logical Blocks This section describes the details of each component and examples applicable to that component for IPFIX Mediation and IPFIX Mediators. 5.1. Collecting Process The Collecting Processes described in [RFC5101] receive Data Records with information relating to their treatment in the Metering Process and Exporting Process in the Original Exporter, such as sampling rate, IPFIX Message header information, and Transport Session Information. The Collecting Processes transmit the set of data to multiple components: Intermediate Processes and Exporting Processes. In other words, the processes may duplicate received Data Records and transmit them to multiple components in sequence or in parallel. 5.2. Exporting Process The Exporting Processes described in [RFC5101] transmit Data Records to one or multiple Collectors. The processes manage the reporting Template and create IPFIX Messages. 5.3. Intermediate Process The Intermediate Processes generate new sets of Data Records from input Data Records with context information collected by the Collecting Process that includes the "Export Time" and "Observation Domain ID" included in IPFIX Message headers. The processes host one of several functions defined below or a combination of them, in any sequence or in any set. In the case of a combination, the output of each function can be the input of other functions. The following subsections show the details of each function. 5.3.1. Selection Function The Selection Function determines which input Data Records are selected by matching them under a filtering policy and then transmits them to the next processes or functions. The function is similar to the Selection Process described in [I-D.ietf-psamp-sample-tech]. The function covers several selection techniques, such as property match filtering and sampling. In property match filtering, if the value of a specified Information Element equals a configured value, the function selects a Data Record to transmit. The combination of the Selection Functions and other functions provides some useful applications. Kobayashi, et al. Expires August 15, 2009 [Page 10] Internet-Draft IPFIX Mediation Framework February 2009 Data-based Collector Selection The combination of one or multiple Selection Functions and Exporting Processes can determine to which Collector input Data Records are exported. Applicable examples include exporting Data Records to a dedicated Collector on the basis of customer or organization peering. For example, selectors select Data Records on the basis of a peering AS number, as shown in the following figure. The set of Data Records is exported to a dedicated Collector on the basis of the peering AS number. .----------------------. | Intermediate Process | +----------------+ | | | Exporting | | +- Selection #1 ------->| Process #1 |--> Collector #1 Data | | Peering AS #10 | '-----------------' Record| | | +----------------+ --------+- Selection #2 ------->| Exporting |--> Collector #2 | | Peering AS #20 | | Process #2 | | | | '----------------' | | | +----------------+ | +- Selection #1 ------->| Exporting |--> Collector #3 | Peering AS #30 | | Process #3 | '----------------------' '----------------' Figure D: Exporting classified Data Records to dedicated Collector. Flow Selection and Aggregation The combination of one or multiple Selection Functions and Aggregation Functions can efficiently reduce the amount of Flow Records. For example, a selector selects small Flows consisting of a small number of packets and then transmits them to the Aggregation Function. Another selector selects other Flows and then transmits them to the Exporting Process, as shown in the following figure. This results in aggregation based on the distribution of the number of packets per Flow. Kobayashi, et al. Expires August 15, 2009 [Page 11] Internet-Draft IPFIX Mediation Framework February 2009 .-------------------------------------+ +-------------------+ | Intermediate Process | | Exporting Process | | | | | Data | +- Selection #1 -----> Aggregation ---->| | Record| | packetDeltaCount <= 5 | | | --------+ | | | | | | | | | +- Selection #2 ----------------------->| | | packetDeltaCount > 5 | | | '-------------------------------------' '-------------------' Figure E: Flow Selection and Aggregation 5.3.2. Aggregation Function The Aggregation Function creates aggregated Flow Records from input Flow Records/Packet Reports. The aggregation method is divided into three types. Flow Key Field Selection Decreasing the number of fields considered as Flow Keys, such as three, two, or one Flow Key field, creates more aggregated Flow Records. The function gathers Data Records within a given interval time and then merges the Data Records that have common properties. If the values of given Flow Key fields are the same, that means those Data Records have common properties, and the function merges them in accordance with the aggregation policy. In addition, the function can create statistical data and subsidiary information related to the aggregated Flow Records. Examples include the number of input Data Records, the given interval time, and a new set of Flow Keys. Time Composition Time composition is defined as aggregation of Flow Records with identical Flow Key values within a given interval time. The function may also compute Flow Records statistics, such as the maximum, and minimum values of each counter. The statistics enable the visualization of the behavior of traffic volume over a long time period. The function provides some advantages. * reducing the number of Flow Records for long-running Flows * computing the active time period for long-running Flows Kobayashi, et al. Expires August 15, 2009 [Page 12] Internet-Draft IPFIX Mediation Framework February 2009 * revealing the up-and-down traffic volume within an active time Short period Flow Records created by configurating a short active time, e.g., 1 or 10 sec, are merged within a certain time period, e.g., 60 or 300 sec, at an IPFIX Mediator. While merging, the IPFIX Mediator computes new metrics such as maximum and minimum. It produces more precise maximum and minimum values without increasing the number of Flow Records on a Collector. Space Composition Space composition is defined as aggregation on a larger Observation Domain or on a set of Observation Points. Generally, Flow Key fields are included in a Flow Record. In that case, other properties that are not included in a Flow Record, such as the Exporter IP address or Observation Domain ID, become Flow Key fields. In addition, a group identifier indicating a spatial Observation Domain can also become a new Flow Key. For example, a group can indicate an area on an ISP network, or a link aggregation interface composed of physical interfaces. The group can also make a relation to a set of values of specified Information Elements in the Flow Records by the configuring rule. After converting from the values of specified Information Elements to the group identifier, the function can create aggregated Flow Records by a general aggregation process. 5.3.3. Correlation Function The Correlation Function creates new metrics by evaluating the correlation among sets of Flow Records/Packet Reports. These sets can be Flow Records gathered during a certain period, a pair of consecutive Packet Reports, or Packet Reports exported by different Exporters indicating the same packet. After producing new metrics, the function outputs Flow Records with the new metrics field. Applicable examples are as follows. o One way delay follows from the correlation of Packet Reports exported from different Exporters on the path. o Packet interval time, or jitter, follows the correlation of consecutive Packet Reports exported from the same Exporter. o Difference values follow the correlation of Flow Records observed at ingress or egress interfaces. The values help to confirm the result of a queueing or rate-limiting function. Kobayashi, et al. Expires August 15, 2009 [Page 13] Internet-Draft IPFIX Mediation Framework February 2009 o Average/maximum/minimum values follow the correlation of each in a set of Flow Records. 5.3.4. Modification Function The Modification Function modifies input Data Records without changing their granularity. The function can add new Information Elements, delete existing Information Elements, or modify the value of specified Information Elements. If the function modifies the data structure of an original Template, it also needs to modify the value of the "flowKeyIndicator". Adding specified Information Elements The function obtains the value of a specified Information Element and then adds it to Data Records. There are several methods to obtain the value: retrieving the value from a database or calculating the value on the basis of the value of other Information Elements and received traffic data. Applicable examples include adding derived packet property parameters. Doing that can compensate for traditional exporting devices or probes that are unable to add packet property parameters. Therefore, Collectors do not need to recognize the difference among implementations of routers from several vendors or among Exporter types, such as router, switch, or probe. Typical derived packet property parameters include the following. * The "bgpNextHop{IPv4|IPv6}Address" described in [RFC5102] indicates the egress router of a network domain. That is useful for making a traffic matrix that covers the whole network domain. * The BGP community value indicates the same group of destination or source IP addresses. * The "mplsVpnRouteDistinguisher" described in [RFC5102], which cannot be extracted from the core router in MPLS networks, indicates the VPN customer's identification. Network operators can monitor the traffic behavior of each customer by adding "mplsVpnRouteDistinguisher" to Data Records. Deleting specified Information Elements This function deletes existing Information Elements according to instruction rules, which indicate whether an Information Element should be removed. Kobayashi, et al. Expires August 15, 2009 [Page 14] Internet-Draft IPFIX Mediation Framework February 2009 Applicable examples include hiding network topology information and private information. In the case of IPFIX exporting across domains, the function can avoid creating a vulnerability by deleting unnecessary Information Elements. Examples of network topology information include "ipNextHopIP{v4|v6}Address", "bgpNextHopIP{v4|v6}Address", and "bgp{Next| Prev}AdjacentAsNumber", described in [RFC5102]. In addition, MPLS-related Information Elements, such as "mplsLabelStackSection", are useless for the customers in the case of feeding Flow Records/Packet Reports to VPN customers. Modifying the value of specified Information Elements This function modifies the value of specified Information Elements. Applicable examples include anonymizing customers' private information, such as IP address and port number, according to a privacy protection policy. The function may also report anonymized fields and the anonymization method as subsidiary information. 5.4. IPFIX File Writer/Reader The IPFIX File Writer/Reader on an IPFIX Mediator complies with [I-D.ietf-ipfix-file] as well. The IPFIX File Writer stores input Data Records from any process in a file system. If received Data Records include uninteresting Information Elements, the Modification Function can delete these elements before the IPFIX File Writer handles them. In contrast, the IPFIX File Reader retrieves stored Data Records when administrators want to retrieve past Data Records from a given time period. If the data structure of output Data Records from the IPFIX File Reader is different from what administrators want, the Modification Function can modify the data structure. The figure shows the IPFIX component model with an IPFIX File Writer/ Reader. Kobayashi, et al. Expires August 15, 2009 [Page 15] Internet-Draft IPFIX Mediation Framework February 2009 IPFIX (Flow Records / Packet Reports) ^ ^ | .----------------------|-+--------------------. .-----------------------+---------------------.| | Exporting Process(es) / IPFIX File Writer |' '----^------------------^---------------------' | | | | .-------------|-+--------------------. | .--------------+---------------------.| | | Intermediate Process(es) |' | '--------------^-^-------------------' | | | .---+------------------|-+--------------------. .-----------------------+---------------------.| | Collecting Process(es) / IPFIX File Reader |' '-----------------------^---------------------' | IPFIX (Flow Records / Packet Reports) Figure E: IPFIX Mediator Component Model with IPFIX File Writer/ Reader. 5.5. Flow Expiration The Aggregation Function needs expiration conditions to export cached Flow Records. These conditions are described in [I-D.ietf-ipfix-architecture]. In the case of IPFIX Mediation, these conditions are as follows. o If there are no input Data Records belonging to a cached Flow for a certain time period, aggregated Flow Records will expire. This time period should be configurable at the Intermediate Process. o If the IPFIX Mediator experiences resource constraints, aggregated Flow Records may prematurely expire (e.g., lack of memory to store Flow Records). o For long-running Flows, the Intermediate Process should cause the Flow to expire on a regular basis or based on an expiration policy. This periodicity or expiration policy should be configurable at the Intermediate Process. The Correlation Function also needs similar expiration conditions. However, when cached Flow Records prematurely expire and the function cannot compute their correlation, cached Flow Records may be discarded. Kobayashi, et al. Expires August 15, 2009 [Page 16] Internet-Draft IPFIX Mediation Framework February 2009 5.6. Information Model IPFIX Mediation reuses the general information model from [RFC5102] and from [I-D.ietf-psamp-info]. The Correlation Function uses the additional Information Elements indicating the minimum and maximum values for packet count and octet count. 5.7. Examples As an example in the case of Intermediate Processes having different functions, a Collecting Process/IPFIX File Reader replicates Data Records, if necessary, and transmits them to a suitable Intermediate Process/Exporting Process. An example figure is shown below. Kobayashi, et al. Expires August 15, 2009 [Page 17] Internet-Draft IPFIX Mediation Framework February 2009 IPFIX IPFIX IPFIX ^ ^ ^ | | | .------------. .-----+-------. .-----+-------. .------+------. | IPFIX File | | Exporting | | Exporting | | Exporting | | Writer | | Process {i}| | Process {j}|....| Process {n}| '-----^-^----' '-----^-------' '-----^-------' '------^------' | | | | | | +-------------+ | Flow Records | Flow Records / Packet Reports | | .------+-------. .-----+--------. .------+-------. | | Intermediate | | Intermediate | | Intermediate | | | Process {l} | | Process {m} | | Process {p} | | | | | |...| | | | Selection | | Selection | | | Flow Records | ^ | | ^ | | | | | | | | | | | | | | Correlation | | Modification| | Modification| | | ^ | | ^ | | ^ | | | | | | | | | | | | | Selection | | Aggregation |...| Selection | | | ^ | | ^ ^ | | ^ | | '------|-------' '-----|-|------' '------|-------' | | | | | | +---------------+ | Flow Records | | | | | Flow Records / Packet Reports | .------+------. .------+------. .------+------. .-----+------. | Collecting | | Collecting | | Collecting | | IPFIX File | | Process {i}| | Process {j}|...| Process {n}| | Reader | '------^------' '------^------' '------^------' '------------' | | | IPFIX IPFIX IPFIX Figure F: Functional Block Examples for IPFIX Mediator. Kobayashi, et al. Expires August 15, 2009 [Page 18] Internet-Draft IPFIX Mediation Framework February 2009 6. Security Considerations An IPFIX measurement system must also prevent the security threats related to IPFIX Mediation that follow as well as the security threats described in the security consideration section in [RFC5101]. o attacks against IPFIX Mediators IPFIX Mediators need to prevent unauthorized access or denial-of- service (DoS) attacks from untrusted public networks. One solutions is that IPFIX Mediators host the packet filter function to reject malicious packets at an outside interface. o man-in-the-middle attacks by untrusted IPFIX Mediators The Collector-Mediator-Exporter structure model would increase the risk of man-in-the-middle attacks. One solutions is that IPFIX Collectors and Exporters must verify trusted IPFIX Mediators to prevent connection to untrusted IPFIX Mediators. o configuration of IPFIX Mediation In the case of IPFIX Distributors and IPFIX Masquerading Proxies, an accidental misconfiguration and unauthorized access to configuration data could lead to the crucial problem of disclosure of confidential traffic data. To eliminate these risks, IPFIX Mediators must provide the authentication function for authorized administrators and the facilities to help in tracing configuration changes to their origin. Kobayashi, et al. Expires August 15, 2009 [Page 19] Internet-Draft IPFIX Mediation Framework February 2009 7. IANA Considerations This document has no actions for IANA. Kobayashi, et al. Expires August 15, 2009 [Page 20] Internet-Draft IPFIX Mediation Framework February 2009 8. References 8.1. Normative References [I-D.ietf-ipfix-architecture] Sadasivan, G., Brownlee, N., Claise, B., and J. Quittek, "Architecture for IP Flow Information Export", draft-ietf-I-D.ietf-ipfix-architectureitecture-12.txt(work in progress) , September 2006. [I-D.ietf-ipfix-as] Zseby, T., Boschi, E., Brownlee, N., and B. Claise, "IPFIX Applicability", draft-ietf-ipfix-as-12 (work in progress) , June 2007. [I-D.ietf-ipfix-mib] Dietz, T., Claise, B., and A. Kobayashi, "Definitions of Managed Objects for IP Flow Information Export", draft-ietf-ipfix-mib-05 (work in progress) , November 2008. [I-D.ietf-psamp-framework] Duffield, N., "A Framework for Packet Selection and Reporting", draft-ietf-psamp-framework-13.txt , June 2008. [I-D.ietf-psamp-info] Dietz, T., Claise, B., Aitken, P., Dressler, F., and G. Carle, "Information Model for Packet Sampling Exports", draft-ietf-psamp-info-11.txt (work in progress) , October 2008. [I-D.ietf-psamp-mib] Dietz, T. and B. Claise, "Definitions of Managed Objects for Packet Sampling", draft-ietf-psamp-mib-06 (work in progress) , June 2006. [I-D.ietf-psamp-protocol] Claise, B., Quittek, J., and A. Johnson, "Packet Sampling (PSAMP) Protocol Specifications", draft-ietf-psamp-protocol-09.txt , December 2007. [I-D.ietf-psamp-sample-tech] Zseby, T., Molina, M., Duffield, N., Niccolini, S., and F. Raspall, "Sampling and Filtering Techniques for IP Packet Selection", draft-ietf-psamp-sample-tech-11.txt , July 2008. [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, Kobayashi, et al. Expires August 15, 2009 [Page 21] Internet-Draft IPFIX Mediation Framework February 2009 "Requirements for IP Flow Information Export(IPFIX)", October 2004. [RFC5101] Claise, B., "Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information", January 2008. [RFC5102] Quittek, J., Bryant, S., Claise, B., Aitken, P., and J. Meyer, "Information Model for IP Flow Information Export", January 2008. 8.2. Informative References [I-D.ietf-ipfix-file] Trammell, B., Boschi, E., Mark, L., Zseby, T., and A. Wagner, "An IPFIX-Based File Format", draft-ietf-ipfix-file-03.txt(work in progress) , October 2008. [I-D.ietf-ipfix-mediator-ps] Kobayashi, A., Nishida, H., Sommer, C., Dressler, F., Stephan, E., and B. Claise, "IPFIX Mediation: Problem Statement", draft-ietf-ipfix-mediation-problem-statement-02.txt(work in progress) , September 2009. Kobayashi, et al. Expires August 15, 2009 [Page 22] Internet-Draft IPFIX Mediation Framework February 2009 Appendix A. Acknowledgements The authors gratefully acknowledge the contributions of Keisuke Ishibashi, Tsuyoshi Kondoh, and Daisuke Matsubara. Kobayashi, et al. Expires August 15, 2009 [Page 23] Internet-Draft IPFIX Mediation Framework February 2009 Authors' Addresses Atsushi Kobayashi NTT Information Sharing Platform Laboratories 3-9-11 Midori-cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81-422-59-3978 Email: akoba@nttv6.net Haruhiko Nishida NTT Information Sharing Platform Laboratories 3-9-11 Midori-cho Musashino-shi, Tokyo 180-8585 Japan Phone: +81-422-59-3978 Email: nishida.haruhiko@lab.ntt.co.jp Benoit Claise Cisco Systems De Kleetlaan 6a b1 Diegem 1831 Belgium Phone: +32 2 704 5622 Email: bclaise@cisco.com Kobayashi, et al. Expires August 15, 2009 [Page 24]