Network Working Group T. Dietz Internet-Draft NEC Europe Ltd. Intended status: Standards Track F. Dressler Expires: April 14, 2008 University of Erlangen-Nuremberg G. Carle University of Tuebingen B. Claise P. Aitken Cisco Systems, Inc. October 12, 2007 Information Model for Packet Sampling Exports Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 14, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Dietz, et al. draft-ietf-psamp-info-07.txt [Page 1] Internet-Draft PSAMP Information Model October 2007 Abstract This memo defines an information model for the Packet Sampling (PSAMP) protocol. It is used by the PSAMP protocol for encoding sampled packet data and information related to the sampling process. As the PSAMP protocol is based on the IPFIX protocol, this information model is an extension to the IPFIX information model. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 2] Internet-Draft PSAMP Information Model October 2007 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. PSAMP Documents Overview . . . . . . . . . . . . . . . . . . . 6 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. IPFIX Terminology . . . . . . . . . . . . . . . . . . . . 7 3.2. PSAMP Terminology . . . . . . . . . . . . . . . . . . . . 10 4. Relationship between PSAMP and IPFIX . . . . . . . . . . . . . 13 5. Properties of a PSAMP Information Element . . . . . . . . . . 14 6. Type Space . . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. Overloading Information Elements . . . . . . . . . . . . . . . 16 8. The PSAMP Information Elements . . . . . . . . . . . . . . . . 17 8.1. PSAMP Usage of IPFIX Attributes . . . . . . . . . . . . . 17 8.2. Additional PSAMP Information Elements . . . . . . . . . . 18 8.2.1. selectionSequenceId . . . . . . . . . . . . . . . . . 18 8.2.2. selectorId . . . . . . . . . . . . . . . . . . . . . . 19 8.2.3. informationElementId . . . . . . . . . . . . . . . . . 19 8.2.4. selectorAlgorithm . . . . . . . . . . . . . . . . . . 19 8.2.5. samplingPacketInterval . . . . . . . . . . . . . . . . 20 8.2.6. samplingPacketSpace . . . . . . . . . . . . . . . . . 21 8.2.7. samplingTimeInterval . . . . . . . . . . . . . . . . . 21 8.2.8. samplingTimeSpace . . . . . . . . . . . . . . . . . . 21 8.2.9. samplingSize . . . . . . . . . . . . . . . . . . . . . 22 8.2.10. samplingPopulation . . . . . . . . . . . . . . . . . . 22 8.2.11. samplingProbability . . . . . . . . . . . . . . . . . 23 8.2.12. dataLinkFrameSize . . . . . . . . . . . . . . . . . . 23 8.2.13. ipHeaderPacketSection . . . . . . . . . . . . . . . . 23 8.2.14. ipPayloadPacketSection . . . . . . . . . . . . . . . . 24 8.2.15. dataLinkFrameSection . . . . . . . . . . . . . . . . . 25 8.2.16. mplsLabelStackSection . . . . . . . . . . . . . . . . 25 8.2.17. mplsPayloadPacketSection . . . . . . . . . . . . . . . 26 8.2.18. SelectorIdTotalPacketsObserved . . . . . . . . . . . . 26 8.2.19. SelectorIdTotalPacketsSelected . . . . . . . . . . . . 27 8.2.20. fixedError . . . . . . . . . . . . . . . . . . . . . . 27 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 3] Internet-Draft PSAMP Information Model October 2007 8.2.21. relativeError . . . . . . . . . . . . . . . . . . . . 27 8.2.22. observationTimeSeconds . . . . . . . . . . . . . . . . 28 8.2.23. observationTimeMilliseconds . . . . . . . . . . . . . 28 8.2.24. observationTimeMicroseconds . . . . . . . . . . . . . 28 8.2.25. observationTimeNanoseconds . . . . . . . . . . . . . . 29 8.2.26. digestHashValue . . . . . . . . . . . . . . . . . . . 29 8.2.27. hashIPPayloadOffset . . . . . . . . . . . . . . . . . 29 8.2.28. hashIPPayloadSize . . . . . . . . . . . . . . . . . . 30 8.2.29. hashOutputRangeMin . . . . . . . . . . . . . . . . . . 30 8.2.30. hashOutputRangeMax . . . . . . . . . . . . . . . . . . 30 8.2.31. hashSelectedRangeMin . . . . . . . . . . . . . . . . . 30 8.2.32. hashSelectedRangeMax . . . . . . . . . . . . . . . . . 31 8.2.33. hashDigestOutput . . . . . . . . . . . . . . . . . . . 31 8.2.34. hashInitialiserValue . . . . . . . . . . . . . . . . . 31 9. Security Considerations . . . . . . . . . . . . . . . . . . . 33 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 35 11.1. Normative References . . . . . . . . . . . . . . . . . . . 35 11.2. Informative References . . . . . . . . . . . . . . . . . . 35 Appendix A. Formal Specification of PSAMP Information Elements . 37 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 49 Intellectual Property and Copyright Statements . . . . . . . . . . 51 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 4] Internet-Draft PSAMP Information Model October 2007 1. Introduction Packet sampling techniques are required for various measurement scenarios. The packet sampling (PSAMP) protocol provides mechanisms for packet selection using different filtering and sampling techniques. A standard way for the export and storage is required. The definition of the PSAMP information and data model is based on the IP Flow Information eXport (IPFIX) protocol [I-D.ietf-ipfix-protocol]. The PSAMP protocol document [I-D.ietf-psamp-protocol] specifies how to use the IPFIX protocol in the PSAMP context. This document examines the IPFIX information model [I-D.ietf-ipfix-info] and extends it to meet the PSAMP requirements. Therefore, the structure of this document is strongly based on the IPFIX document. It complements the PSAMP protocol specification by providing an appropriate PSAMP information model. The main part of this document, section 8, defines the list of Information Elements to be transmitted by the PSAMP protocol. Sections 6 and 5 describe the data types and Information Element properties used within this document and their relationship to the IPFIX information model. The main body of section 8 was generated from a XML document. The XML-based specification of the PSAMP Information Elements can be used for automatically checking syntactical correctness of the specification. Furthermore it can be used - in combination with the IPFIX information model - for automated code generation. The resulting code can be used in PSAMP protocol implementations to deal with processing PSAMP information elements. For that reason, the XML document that served as source for section 8 is attached to this document in Appendix A. Note that although partially generated from the attached XML documents, the main body of this document is normative while the appendices are informational. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 5] Internet-Draft PSAMP Information Model October 2007 2. PSAMP Documents Overview [I-D.ietf-psamp-framework]: "A Framework for Packet Selection and Reporting", describes the PSAMP framework for network elements to select subsets of packets by statistical and other methods, and to export a stream of reports on the selected packets to a collector. [I-D.ietf-psamp-sample-tech]: "Sampling and Filtering Techniques for IP Packet Selection", describes the set of packet selection techniques supported by PSAMP. [I-D.ietf-psamp-protocol]: "Packet Sampling (PSAMP) Protocol Specifications" specifies the export of packet information from a PSAMP Exporting Process to a PSAMP Collecting Process. This Document: "Information Model for Packet Sampling Exports" (this document), defines an information and data model for PSAMP. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 6] Internet-Draft PSAMP Information Model October 2007 3. Terminology As the IPFIX export protocol is used to export the PSAMP information, the relevant IPFIX terminology from [I-D.ietf-ipfix-protocol] is copied over in this document. The PSAMP terminology defined here is fully consistent with all terms listed in [I-D.ietf-psamp-protocol] but only definitions that are relevant to the PSAMP information model appear here. 3.1. IPFIX Terminology The IPFIX terminology section has been entirely copied over from [I-D.ietf-ipfix-protocol], except for the IPFIX Exporting Process term, which is defined more precisely in the PSAMP terminology section. o Observation Point An Observation Point is a location in the network where IP packets can be observed. Examples include: a line to which a probe is attached, a shared medium, such as an Ethernet-based LAN, a single port of a router, or a set of interfaces (physical or logical) of a router. Note that every Observation Point is associated with an Observation Domain (defined below), and that one Observation Point may be a superset of several other Observation Points. For example one Observation Point can be an entire line card. That would be the superset of the individual Observation Points at the line card's interfaces. o Observation Domain An Observation Domain is the largest set of Observation Points for which Flow information can be aggregated by a Metering Process. o IP Traffic Flow or Flow There are several definitions of the term 'flow' being used by the Internet community. Within the context of IPFIX we use the following definition: A Flow is defined as a set of IP packets passing an Observation Point in the network during a certain time interval. All packets belonging to a particular Flow have a set of common properties. Each property is defined as the result of applying a function to the values of: Dietz, et al. draft-ietf-psamp-info-07.txt [Page 7] Internet-Draft PSAMP Information Model October 2007 1. one or more packet header field (e.g. destination IP address), transport header field (e.g. destination port number), or application header field (e.g. RTP header fields [RFC3550]) 2. one or more characteristics of the packet itself (e.g. number of MPLS labels, etc...) 3. one or more of fields derived from packet treatment (e.g. next hop IP address, the output interface, etc...) A packet is defined to belong to a Flow if it completely satisfies all the defined properties of the Flow. This definition covers the range from a Flow containing all packets observed at a network interface to a Flow consisting of just a single packet between two applications. It includes packets selected by a sampling mechanism. o Flow Record A Flow Record contains information about a specific Flow that was observed at an Observation Point. A Flow Record contains measured properties of the Flow (e.g. the total number of bytes for all the Flow's packets) and usually characteristic properties of the Flow (e.g. source IP address). o Metering Process The Metering Process generates Flow Records. Inputs to the process are packet headers and characteristics observed at an Observation Point, and packet treatment at the Observation Point (for example the selected output interface). The Metering Process consists of a set of functions that includes packet header capturing, timestamping, sampling, classifying, and maintaining Flow Records. The maintenance of Flow Records may include creating new records, updating existing ones, computing Flow statistics, deriving further Flow properties, detecting Flow expiration, passing Flow Records to the Exporting Process, and deleting Flow Records. o IPFIX Device An IPFIX Device hosts at least one Exporting Process. It may host further Exporting processes and arbitrary numbers of Observation Points and Metering Process. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 8] Internet-Draft PSAMP Information Model October 2007 o Exporting Process An Exporting Process sends, in the form of Export Packets, the output of one or more Metering Processes to one or more Collectors. o Collecting Process A Collecting Process receives Flow Records from one or more Exporting Processes. The Collecting Process might process or store received Flow Records, but such actions are out of scope for this document. o Collector A device which hosts one or more Collecting Processes is termed a Collector. o Template A Template is an ordered sequence of pairs, used to completely specify the structure and semantics of a particular set of information that needs to be communicated from an IPFIX Device to a Collector. Each Template is uniquely identifiable by means of a Template ID. o Template Record A Template Record defines the structure and interpretation of fields in a Data Record. o Data Record A Data Record is a record that contains values of the parameters corresponding to a Template Record. o Options Template Record An Options Template Record is a Template Record that defines the structure and interpretation of fields in a Data Record, including defining how to scope the applicability of the Data Record. o Information Element An Information Element is a protocol and encoding independent description of an attribute which may appear in an IPFIX Record. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 9] Internet-Draft PSAMP Information Model October 2007 3.2. PSAMP Terminology The relevant PSAMP terminology has been copied from [I-D.ietf-psamp-protocol] into this document. o Observed Packet Stream An Observed Packet Stream denotes the packets that flow past the Observation Point. o Packet Stream A Packet Stream denotes a subset of the Observed Packet Stream that flows past some specified point within the Selection Process. An example of a Packet Stream is the output of the Selection Process. Note that packets selected from a stream, e.g. by Sampling, do not necessarily possess a property by which they can be distinguished from packets that have not been selected. For this reason the term "stream" is favored over "flow", which is defined as a set of packets with common properties [RFC3917]. o Selection Process A Selection Process takes the Observed Packet Stream as its input and selects a subset of that stream as its output. o Population A Population is a Packet Stream, or a subset of a Packet Stream. A Population can be considered as a base set from which packets are selected. An example is all packets in the Observed Packet Stream that are observed within some specified time interval. o Selector A Selector defines the action of a Selection Process on a single packet of its input. If selected, the packet becomes an element of the output Packet Stream. The Selector can make use of the following information in determining whether a packet is selected: 1. the Packet Content; 2. information derived from the packet's treatment at the Observation Point; Dietz, et al. draft-ietf-psamp-info-07.txt [Page 10] Internet-Draft PSAMP Information Model October 2007 3. any selection state that may be maintained by the Selection Process. o Composite Selector A Composite Selector is an ordered composition of Selectors, in which the output Packet Stream issuing from one Selector forms the input Packet Stream to the succeeding Selector. o Primitive Selector A Selector is primitive if it is not a Composite Selector. o Selector ID The Selector ID is the unique ID identifying a Primitive Selector. The ID is unique within the Observation Domain. o Selection Sequence From all the packets observed at an Observation Point, only a few packets are selected by one or more Selectors. The Selection Sequence is a unique value per Observation Domain describing the Observation Point and the Selector IDs through which the packets are selected. o Packet Reports Packet Reports comprise a configurable subset of a packet's input to the Selection Process, including the Packet Content, information relating to its treatment (for example, the output interface), and its associated selection state (for example, a hash of the Packet Content). o Report Interpretation Report Interpretation comprises subsidiary information, relating to one or more packets, that are used for interpretation of their Packet Reports. Examples include configuration parameters of the Selection Process. o PSAMP Device A PSAMP Device is a device hosting at least an Observation Point, a Selection Process and an Exporting Process. Typically, corresponding Observation Point(s), Selection Process(es) and Exporting Process(es) are co-located at this device, for example at a router. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 11] Internet-Draft PSAMP Information Model October 2007 o Filtering A filter is a Selector that selects a packet deterministically based on the Packet Content, or its treatment, or functions of these occurring in the Selection State. Examples include property match Filtering, and Hash-based Selection. o Sampling A Selector that is not a filter is called a Sampling operation. This reflects the intuitive notion that if the selection of a packet cannot be determined from its content alone, there must be some type of Sampling taking place. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 12] Internet-Draft PSAMP Information Model October 2007 4. Relationship between PSAMP and IPFIX As described in the PSAMP protocol draft [I-D.ietf-psamp-protocol] a PSAMP Report can be seen as a very special IPFIX Data Record. It represents an IPFIX Flow containing only a single packet. Therefore, the IPFIX information model can be used as a basis for PSAMP Reports. Nevertheless, there are properties required in PSAMP Reports which cannot be modelled using the current IPFIX information model. This document describes extensions to the IPFIX information model which allow the modelling of information and data required by PSAMP. Some of these extensions allow the export of what may be considered sensitive information. Refer to the Security Considerations section for a fuller discussion. Note that the export of sampled or filtered PSAMP Reports may not need all the Information Elements defined by the IPFIX information model [I-D.ietf-ipfix-info], as discussed in sections 6.2 and 6.3 of the PSAMP Framework [I-D.ietf-psamp-framework]. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 13] Internet-Draft PSAMP Information Model October 2007 5. Properties of a PSAMP Information Element The PSAMP Information Elements are in accordance with the definitions of IPFIX. Therefore we do not repeat the properties in this draft. Refer to sections 2.1 through 2.3 of the IPFIX Information Model [I-D.ietf-ipfix-info]. Nevertheless, we strongly recommend defining the optional "units" property for every information element (if applicable). Dietz, et al. draft-ietf-psamp-info-07.txt [Page 14] Internet-Draft PSAMP Information Model October 2007 6. Type Space The PSAMP Information Elements MUST be constructed from the basic data types described in section 3 of the IPFIX Information Model [I-D.ietf-ipfix-info]. To avoid duplicated work and to keep consistency between IPFIX and PSAMP, the data types are not repeated in this document. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 15] Internet-Draft PSAMP Information Model October 2007 7. Overloading Information Elements Information Elements SHOULD NOT be overloaded with multiple meanings or re-used for multiple purposes. Different Information Elements SHOULD be allocated for each requirement. In particular, special information SHALL be encoded in new Information Elements as necessary, and SHALL NOT be encoded in the selection method. Although the presence of certain other Information Elements allows the selection method to be inferred, a separate Information Element is provided for the selectorAlgorithm, e.g. for including in scope info and depicting the contents of composites. Even if the Information Elements are specified with a specific selection method (i.e. a specific value of selectorAlgorithm) in mind, these Information Elements are not restricted to the selection method and MAY be used for different selection methods in the future. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 16] Internet-Draft PSAMP Information Model October 2007 8. The PSAMP Information Elements This section describes the Information Elements used by the PSAMP protocol. Each Information Element specified in section 8.2 below is allocated a unique identifier in accordance with section 5 of the IPFIX information model [I-D.ietf-ipfix-info]. The assignments are controlled by IANA as an extension of the IPFIX Information Model. The Information Elements specified by the IPFIX information model [I-D.ietf-ipfix-info] are used by the PSAMP protocol where applicable. To avoid inconsistencies between the IPFIX and the PSAMP information and data models, only those Information Elements that are not already described by the IPFIX information model are defined here. 8.1. PSAMP Usage of IPFIX Attributes This section lists additional Information Elements that are needed in the PSAMP context and introduces their usage. List of additional PSAMP Information Elements: Dietz, et al. draft-ietf-psamp-info-07.txt [Page 17] Internet-Draft PSAMP Information Model October 2007 +-----+---------------------------+-----+---------------------------+ | ID | Name | ID | Name | +-----+---------------------------+-----+---------------------------+ | 301 | selectionSequenceId | 318 | SelectorIdTotalPacketsObs | | | | | erved | | 302 | selectorId | 319 | SelectorIdTotalPacketsSel | | | | | ected | | 303 | informationElementId | 320 | fixedError | | 304 | selectorAlgorithm | 321 | relativeError | | 305 | samplingPacketInterval | 322 | observationTimeSeconds | | | | | | | 306 | samplingPacketSpace | 323 | observationTimeMillisecon | | | | | ds | | 307 | samplingTimeInterval | 324 | observationTimeMicrosecon | | | | | ds | | 308 | samplingTimeSpace | 325 | observationTimeNanosecond | | | | | s | | 309 | samplingSize | 326 | digestHashValue | | 310 | samplingPopulation | 327 | hashIPPayloadOffset | | 311 | samplingProbability | 328 | hashIPPayloadSize | | 312 | dataLinkFrameSize | 329 | hashOutputRangeMin | | 313 | ipHeaderPacketSection | 330 | hashOutputRangeMax | | | | | | | 314 | ipPayloadPacketSection | 331 | hashSelectedRangeMin | | | | | | | 315 | dataLinkFrameSection | 332 | hashSelectedRangeMax | | 316 | mplsLabelStackSection | 333 | hashDigestOutput | | | | | | | 317 | mplsPayloadPacketSection | 334 | hashInitialiserValue | | | | | | +-----+---------------------------+-----+---------------------------+ 8.2. Additional PSAMP Information Elements 8.2.1. selectionSequenceId Description: From all the packets observed at an Observation Point, a subset of packets is selected by a sequence of one or more Selectors. The selectionSequenceId is a unique value per Observation Domain, specifying the Observation Point and the sequence of Selectors through which the packets are selected. Abstract Data Type: unsigned64 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 18] Internet-Draft PSAMP Information Model October 2007 ElementId: 301 Status: current 8.2.2. selectorId Description: The Selector ID is the unique ID identifying a Primitive Selector. Each Primitive Selector must have a unique ID in the Observation Domain. Abstract Data Type: unsigned16 Data Type Semantics: identifier ElementId: 302 Status: current 8.2.3. informationElementId Description: This Information Element contains the ID of another Information Element. Abstract Data Type: unsigned16 Data Type Semantics: identifier ElementId: 303 Status: current 8.2.4. selectorAlgorithm Description: This Information Element specifies the Selector algorithm (e.g., Filtering, Sampling) that was used on a packet. The following Selector algorithms are currently defined: 1 Systematic count-based Sampling Dietz, et al. draft-ietf-psamp-info-07.txt [Page 19] Internet-Draft PSAMP Information Model October 2007 2 Systematic time-based Sampling 3 Random n-out-of-N Sampling 4 Uniform probabilistic Sampling 5 Property match Filtering 6 Hash based Filtering using BOB 7 Hash based Filtering using IPSX 8 Hash based Filtering using CRC The parameters for most of these algorithms are defined in this information model. Some parameters for these algorithms are not covered by this information model since they very much depend on the underlying hardware. This list will be maintained by IANA. IANA can update this Information Element as long as there's a new RFC specifying the algorithm and any new Information Elements which are required. Abstract Data Type: unsigned16 Data Type Semantics: identifier ElementId: 304 Status: current 8.2.5. samplingPacketInterval Description: This Information Element specifies the number of packets that are consecutively sampled. For example a value of 100 means that 100 contiguous packets are sampled. For example, this Information Element may be used to describe the configuration of a systematic count-based sampling Selector. Abstract Data Type: unsigned32 ElementId: 305 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 20] Internet-Draft PSAMP Information Model October 2007 Status: current Units: packets 8.2.6. samplingPacketSpace Description: This Information Element specifies the number of packets between two "samplingPacketInterval"s. A value of 100 means that the next interval starts after 100 packets (which are not sampled) when the current "samplingPacketInterval" is over. For example, this Information Element may be used to describe the configuration of a systematic count-based sampling Selector. Abstract Data Type: unsigned32 ElementId: 306 Status: current Units: packets 8.2.7. samplingTimeInterval Description: This Information Element specifies the time interval in microseconds during which all arriving packets are sampled. For example, this Information Element may be used to describe the configuration of a systematic time-based sampling Selector. Abstract Data Type: dateTimeMicroseconds ElementId: 307 Status: current Units: microseconds 8.2.8. samplingTimeSpace Dietz, et al. draft-ietf-psamp-info-07.txt [Page 21] Internet-Draft PSAMP Information Model October 2007 Description: This Information Element specifies the time interval in microseconds between two "samplingTimeInterval"s. A value of 100 means that the next interval starts after 100 microseconds (during which no packets are sampled) when the current "samplingTimeInterval" is over. For example, this Information Element may used to describe the configuration of a systematic time-based sampling Selector. Abstract Data Type: dateTimeMicroseconds ElementId: 308 Status: current Units: microseconds 8.2.9. samplingSize Description: This Information Element specifies the number of elements taken from the parent Population for random sampling algorithms. For example, this Information Element may be used to describe the configuration of a random n-out-of-N sampling Selector. Abstract Data Type: unsigned32 ElementId: 309 Status: current Units: packets 8.2.10. samplingPopulation Description: This Information Element specifies the number of elements in the parent Population for random sampling algorithms. For example, this Information Element may be used to describe the configuration of a random n-out-of-N sampling Selector. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 22] Internet-Draft PSAMP Information Model October 2007 Abstract Data Type: unsigned32 ElementId: 310 Status: current Units: packets 8.2.11. samplingProbability Description: This Information Element specifies the probability that a packet is sampled, expressed as a value between 0 and 1. The probability is equal for every packet. A value of 0 means no packet was sampled since the probability is 0. For example, this Information Element may be used to describe the configuration of a uniform probabilistic sampling Selector. Abstract Data Type: float64 ElementId: 311 Status: current 8.2.12. dataLinkFrameSize Description: This Information Element specifies the size of the sampled data link frame, and SHOULD be checked before analysing higher layer protocols. The data link layer is defined in [ISO_IEC.7498-1_1994]. Abstract Data Type: unsigned32 ElementId: 312 Status: current 8.2.13. ipHeaderPacketSection Dietz, et al. draft-ietf-psamp-info-07.txt [Page 23] Internet-Draft PSAMP Information Model October 2007 Description: This Information Element, which may have a variable length, carries a series of octets from the start of the IP header of a sampled packet. With sufficient length, this element also reports octets from the IP payload, subject to [RFC2804]. See the Security Considerations section. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. Abstract Data Type: octetArray ElementId: 313 Status: current 8.2.14. ipPayloadPacketSection Description: This Information Element, which may have a variable length, carries a series of octets from the start of the IP payload of a sampled packet. The IPv4 payload is that part of the packet which follows the IPv4 header and any options, which [RFC0791] refers to as "data" or "data octets". e.g., see the examples in [RFC0791] APPENDIX A. The IPv6 payload is the rest of the packet following the 40 octet IPv6 header. Note that any extension headers present are considered part of the payload. See [RFC2460] for the IPv6 specification. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 24] Internet-Draft PSAMP Information Model October 2007 Abstract Data Type: octetArray ElementId: 314 Status: current 8.2.15. dataLinkFrameSection Description: This Information Element, which may have a variable length, carries the first n octets from the data link frame of a sampled packet. The data link layer is defined in [ISO_IEC.7498-1_1994]. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. Abstract Data Type: octetArray ElementId: 315 Status: current 8.2.16. mplsLabelStackSection Description: This Information Element, which may have a variable length, carries the first n octets from the MPLS label stack of a sampled packet. With sufficient length, this element also reports octets from the MPLS payload, subject to [RFC2804]. See the Security Considerations section. See [RFC3031] for the specification of MPLS packets. See [RFC3032] for the specification of the MPLS label stack. The size of the exported section may be constrained due to limitations in the IPFIX protocol. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 25] Internet-Draft PSAMP Information Model October 2007 If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. Abstract Data Type: octetArray ElementId: 316 Status: current 8.2.17. mplsPayloadPacketSection Description: This Information Element, which may have a variable length, carries the first n octets from the MPLS payload of a sampled packet, being data that follows immediately after the MPLS label stack. See [RFC3031] for the specification of MPLS packets. See [RFC3032] for the specification of the MPLS label stack. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. Abstract Data Type: octetArray ElementId: 317 Status: current 8.2.18. SelectorIdTotalPacketsObserved Description: This Information Element specifies the total number of packets observed by a Selector, for a specific value of SelectorId. Abstract Data Type: unsigned64 Data Type Semantics: totalCounter Dietz, et al. draft-ietf-psamp-info-07.txt [Page 26] Internet-Draft PSAMP Information Model October 2007 ElementId: 318 Status: current Units: packets 8.2.19. SelectorIdTotalPacketsSelected Description: This Information Element specifies the total number of packets selected by a Selector, for a specific value of SelectorId. Abstract Data Type: unsigned64 Data Type Semantics: totalCounter ElementId: 319 Status: current Units: packets 8.2.20. fixedError Description: This Information Element specifies the maximum possible positive or negative error interval of the reported value for a given Information Element. Abstract Data Type: float64 ElementId: 320 Status: current Units: The units of the Information Element for which the error is specified. 8.2.21. relativeError Description: This Information Element specifies the maximum possible positive or negative error ratio for a given Information Element. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 27] Internet-Draft PSAMP Information Model October 2007 Abstract Data Type: float64 ElementId: 321 Status: current 8.2.22. observationTimeSeconds Description: This Information Element specifies the absolute time in seconds of an observation. Abstract Data Type: dateTimeSeconds ElementId: 322 Status: current Units: seconds 8.2.23. observationTimeMilliseconds Description: This Information Element specifies the absolute time in milliseconds of an observation. Abstract Data Type: dateTimeMilliseconds ElementId: 323 Status: current Units: milliseconds 8.2.24. observationTimeMicroseconds Description: This Information Element specifies the absolute time in microseconds of an observation. Abstract Data Type: dateTimeMicroseconds Dietz, et al. draft-ietf-psamp-info-07.txt [Page 28] Internet-Draft PSAMP Information Model October 2007 ElementId: 324 Status: current Units: microseconds 8.2.25. observationTimeNanoseconds Description: This Information Element specifies the absolute time in nanoseconds of an observation. Abstract Data Type: dateTimeNanoseconds ElementId: 325 Status: current Units: nanoseconds 8.2.26. digestHashValue Description: This Information Element specifies the value from the digest hash function. Abstract Data Type: unsigned64 ElementId: 326 Status: current 8.2.27. hashIPPayloadOffset Description: This Information Element specifies the IP payload offset used by a hash based Selector. Abstract Data Type: unsigned64 ElementId: 327 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 29] Internet-Draft PSAMP Information Model October 2007 Status: current 8.2.28. hashIPPayloadSize Description: This Information Element specifies the IP payload size used by a hash based Selector. Abstract Data Type: unsigned64 ElementId: 328 Status: current 8.2.29. hashOutputRangeMin Description: This Information Element specifies the value for the beginning of a hash function's potential output range. Abstract Data Type: unsigned64 ElementId: 329 Status: current 8.2.30. hashOutputRangeMax Description: This Information Element specifies the value for the end of a hash function's potential output range. Abstract Data Type: unsigned64 ElementId: 330 Status: current 8.2.31. hashSelectedRangeMin Description: Dietz, et al. draft-ietf-psamp-info-07.txt [Page 30] Internet-Draft PSAMP Information Model October 2007 This Information Element specifies the value for the beginning of a hash function's selected range. Abstract Data Type: unsigned64 ElementId: 331 Status: current 8.2.32. hashSelectedRangeMax Description: This Information Element specifies the value for the end of a hash function's selected range. Abstract Data Type: unsigned64 ElementId: 332 Status: current 8.2.33. hashDigestOutput Description: This Information Element contains a boolean value which is TRUE if the output from this hash Selector has been configured to be included in the packet report as a packet digest, else FALSE. Abstract Data Type: boolean ElementId: 333 Status: current 8.2.34. hashInitialiserValue Description: This Information Element specifies the initialiser value to the hash function. Abstract Data Type: unsigned64 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 31] Internet-Draft PSAMP Information Model October 2007 ElementId: 334 Status: current Dietz, et al. draft-ietf-psamp-info-07.txt [Page 32] Internet-Draft PSAMP Information Model October 2007 9. Security Considerations The PSAMP information model itself does not directly introduce security issues. Rather it defines a set of attributes which may for privacy or business issues be considered sensitive information. Specifically, the Information Elements pertaining to packet sections MUST target no more than the packet header, some subsequent bytes of the packet, and encapsulating headers if present. Full packet capture of arbitrary packet streams is explicitly out of scope, per [RFC2804]. The underlying protocol used to exchange the information described here must therefore apply appropriate procedures to guarantee the integrity and confidentiality of the exported information. Such protocols are defined in separate documents, specifically the PSAMP protocol document [I-D.ietf-psamp-protocol]. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 33] Internet-Draft PSAMP Information Model October 2007 10. IANA Considerations This document specifies an initial set of PSAMP Information Elements as specified in [I-D.ietf-psamp-sample-tech], as an extension to the IPFIX Information Elements [I-D.ietf-ipfix-info]. New assignments for PSAMP Information Elements will be administered according to rules explained in the "IANA Consideration" section of the IPFIX Information Model document [I-D.ietf-ipfix-info]. Note that the PSAMP Information Element IDs were initially started at the value 301, in order to leave a gap for any ongoing IPFIX work requiring new Information Elements. It is expected that this gap in the Information Element numbering will be filled in by IANA with new IPFIX Information Elements. Appendix B defines an XML schema which may be used to create consistent machine readable extensions to the IPFIX information model. This schema introduces a new namespace, which will be assigned by IANA according to [RFC3688]. The selectorAlgorithm registry is maintained by IANA and can be updated as long as specifications of the new method(s) and any new Information Elements are provided. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 34] Internet-Draft PSAMP Information Model October 2007 11. References 11.1. Normative References [I-D.ietf-psamp-sample-tech] Zseby, T., "Sampling and Filtering Techniques for IP Packet Selection", draft-ietf-psamp-sample-tech-10 (work in progress), June 2007. [I-D.ietf-psamp-protocol] Claise, B., "Packet Sampling (PSAMP) Protocol Specifications", draft-ietf-psamp-protocol-08 (work in progress), June 2007. [I-D.ietf-ipfix-info] Quittek, J., "Information Model for IP Flow Information Export", draft-ietf-ipfix-info-15 (work in progress), February 2007. [I-D.ietf-ipfix-protocol] Claise, B., "Specification of the IPFIX Protocol for the Exchange of IP Traffic Flow Information", draft-ietf-ipfix-protocol-26 (work in progress), September 2007. [ISO_IEC.7498-1_1994] International Organization for Standardization, "Information technology -- Open Systems Interconnection -- Basic Reference Model: The Basic Mode", ISO Standard 7498- 1:1994, June 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 11.2. Informative References [RFC3917] Quittek, J., Zseby, T., Claise, B., and S. Zander, "Requirements for IP Flow Information Export (IPFIX)", RFC 3917, October 2004. [I-D.ietf-psamp-framework] Duffield, N., "A Framework for Packet Selection and Reporting", draft-ietf-psamp-framework-12 (work in progress), June 2007. [RFC2804] IAB and IESG, "IETF Policy on Wiretapping", RFC 2804, May 2000. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 35] Internet-Draft PSAMP Information Model October 2007 [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC3031] Rosen, E., Viswanathan, A., and R. Callon, "Multiprotocol Label Switching Architecture", RFC 3031, January 2001. [RFC3032] Rosen, E., Tappan, D., Fedorkow, G., Rekhter, Y., Farinacci, D., Li, T., and A. Conta, "MPLS Label Stack Encoding", RFC 3032, January 2001. [RFC2629] Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629, June 1999. [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, January 2004. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, July 2003. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 36] Internet-Draft PSAMP Information Model October 2007 Appendix A. Formal Specification of PSAMP Information Elements This appendix contains a formal description of the PSAMP information model XML document. Note that this appendix is of informational nature, while the text in section Section 8 generated from this appendix is normative. Using a formal and machine readable syntax for the information model enables the creation of PSAMP aware tools which can automatically adapt to extensions to the information model, by simply reading updated information model specifications. The wide availability of XML aware tools and libraries for client devices is a primary consideration for this choice. In particular libraries for parsing XML documents are readily available. Also mechanisms such as the Extensible Stylesheet Language (XSL) allow for transforming a source XML document into other documents. This draft was authored in XML and transformed according to [RFC2629]. It should be noted that the use of XML in exporters, collectors or other tools is not mandatory for the deployment of PSAMP. In particular, exporting processes do not produce or consume XML as part of their operation. It is expected that PSAMP collectors MAY take advantage of the machine readability of the information model vs. hardcoding their behavior or inventing proprietary means for accommodating extensions. Using XML-based specifications does not currently address possible IANA implications associated with XML Namespace URIs. The use of Namespaces as an extension mechanism implies that an IANA registered Namespace URI should be available and that directory names below this base URI be assigned for relevant IETF specifications. The authors are not aware of this mechanism today. From all the packets observed at an Observation Point, a subset of packets is selected by a sequence of one or more Selectors. The selectionSequenceId is a unique value per Observation Domain, specifying the Observation Point and the sequence of Selectors through which the packets are selected. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 37] Internet-Draft PSAMP Information Model October 2007 The Selector ID is the unique ID identifying a Primitive Selector. Each Primitive Selector must have a unique ID in the Observation Domain. This Information Element contains the ID of another Information Element. This Information Element specifies the Selector algorithm (e.g., Filtering, Sampling) that was used on a packet. The following Selector algorithms are currently defined: 1 Systematic count-based Sampling 2 Systematic time-based Sampling 3 Random n-out-of-N Sampling 4 Uniform probabilistic Sampling 5 Property match Filtering 6 Hash based Filtering using BOB Dietz, et al. draft-ietf-psamp-info-07.txt [Page 38] Internet-Draft PSAMP Information Model October 2007 7 Hash based Filtering using IPSX 8 Hash based Filtering using CRC The parameters for most of these algorithms are defined in this information model. Some parameters for these algorithms are not covered by this information model since they very much depend on the underlying hardware. This list will be maintained by IANA. IANA can update this Information Element as long as there's a new RFC specifying the algorithm and any new Information Elements which are required. This Information Element specifies the number of packets that are consecutively sampled. For example a value of 100 means that 100 contiguous packets are sampled. For example, this Information Element may be used to describe the configuration of a systematic count-based sampling Selector. packets This Information Element specifies the number of packets between two "samplingPacketInterval"s. A value of 100 means that the next interval starts after 100 packets (which are not sampled) when the current "samplingPacketInterval" is over. For example, this Information Element may be used to describe the configuration of a systematic count-based sampling Selector. packets Dietz, et al. draft-ietf-psamp-info-07.txt [Page 39] Internet-Draft PSAMP Information Model October 2007 This Information Element specifies the time interval in microseconds during which all arriving packets are sampled. For example, this Information Element may be used to describe the configuration of a systematic time-based sampling Selector. microseconds This Information Element specifies the time interval in microseconds between two "samplingTimeInterval"s. A value of 100 means that the next interval starts after 100 microseconds (during which no packets are sampled) when the current "samplingTimeInterval" is over. For example, this Information Element may used to describe the configuration of a systematic time-based sampling Selector. microseconds This Information Element specifies the number of elements taken from the parent Population for random sampling algorithms. For example, this Information Element may be used to describe the configuration of a random n-out-of-N sampling Selector. packets Dietz, et al. draft-ietf-psamp-info-07.txt [Page 40] Internet-Draft PSAMP Information Model October 2007 This Information Element specifies the number of elements in the parent Population for random sampling algorithms. For example, this Information Element may be used to describe the configuration of a random n-out-of-N sampling Selector. packets This Information Element specifies the probability that a packet is sampled, expressed as a value between 0 and 1. The probability is equal for every packet. A value of 0 means no packet was sampled since the probability is 0. For example, this Information Element may be used to describe the configuration of a uniform probabilistic sampling Selector. This Information Element specifies the size of the sampled data link frame, and SHOULD be checked before analysing higher layer protocols. The data link layer is defined in [ISO_IEC.7498-1_1994]. This Information Element, which may have a variable length, carries a series of octets from the start of the IP header of a sampled packet. With sufficient length, this element also reports octets from Dietz, et al. draft-ietf-psamp-info-07.txt [Page 41] Internet-Draft PSAMP Information Model October 2007 the IP payload, subject to [RFC2804]. See the Security Considerations section. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. This Information Element, which may have a variable length, carries a series of octets from the start of the IP payload of a sampled packet. The IPv4 payload is that part of the packet which follows the IPv4 header and any options, which [RFC0791] refers to as "data" or "data octets". e.g., see the examples in [RFC0791] APPENDIX A. The IPv6 payload is the rest of the packet following the 40 octet IPv6 header. Note that any extension headers present are considered part of the payload. See [RFC2460] for the IPv6 specification. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. This Information Element, which may have a variable length, carries the first n octets from the data link frame of a sampled packet. The data link layer is defined in [ISO_IEC.7498-1_1994]. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 42] Internet-Draft PSAMP Information Model October 2007 The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. This Information Element, which may have a variable length, carries the first n octets from the MPLS label stack of a sampled packet. With sufficient length, this element also reports octets from the MPLS payload, subject to [RFC2804]. See the Security Considerations section. See [RFC3031] for the specification of MPLS packets. See [RFC3032] for the specification of the MPLS label stack. The size of the exported section may be constrained due to limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. This Information Element, which may have a variable length, carries the first n octets from the MPLS payload of a sampled packet, being data that follows immediately after the MPLS label stack. See [RFC3031] for the specification of MPLS packets. See [RFC3032] for the specification of the MPLS label stack. The size of the exported section may be constrained due to Dietz, et al. draft-ietf-psamp-info-07.txt [Page 43] Internet-Draft PSAMP Information Model October 2007 limitations in the IPFIX protocol. If insufficient octets are available for the length specified in the Template, the Information Element MUST NOT be padded. This Information Element specifies the total number of packets observed by a Selector, for a specific value of SelectorId. packets This Information Element specifies the total number of packets selected by a Selector, for a specific value of SelectorId. packets This Information Element specifies the maximum possible positive or negative error interval of the reported value for a given Information Element. The units of the Information Element for which the error is specified. This Information Element specifies the maximum possible positive or negative error ratio for a given Information Element. This Information Element specifies the absolute time in seconds of an observation. seconds This Information Element specifies the absolute time in milliseconds of an observation. milliseconds This Information Element specifies the absolute time in microseconds of an observation. microseconds Dietz, et al. draft-ietf-psamp-info-07.txt [Page 45] Internet-Draft PSAMP Information Model October 2007 This Information Element specifies the absolute time in nanoseconds of an observation. nanoseconds This Information Element specifies the value from the digest hash function. This Information Element specifies the IP payload offset used by a hash based Selector. This Information Element specifies the IP payload size used by a hash based Selector. This Information Element specifies the value for the beginning of a hash function's potential output range. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 46] Internet-Draft PSAMP Information Model October 2007 This Information Element specifies the value for the end of a hash function's potential output range. This Information Element specifies the value for the beginning of a hash function's selected range. This Information Element specifies the value for the end of a hash function's selected range. This Information Element contains a boolean value which is TRUE if the output from this hash Selector has been configured to be included in the packet report as a packet digest, else FALSE. This Information Element specifies the initialiser value to the hash function. Dietz, et al. draft-ietf-psamp-info-07.txt [Page 47] Internet-Draft PSAMP Information Model October 2007 Dietz, et al. draft-ietf-psamp-info-07.txt [Page 48] Internet-Draft PSAMP Information Model October 2007 Authors' Addresses Thomas Dietz NEC Europe Ltd. NEC Laboratories Europe Network Research Division Kurfuersten-Anlage 36 Heidelberg 69115 Germany Phone: +49 6221 4342-128 Email: dietz@nw.neclab.eu URI: http://www.nw.neclab.eu/ Falko Dressler University of Erlangen-Nuremberg Dept. of Computer Sciences Martensstr. 3 Erlangen 91058 Germany Phone: +49 9131 85-27914 Email: dressler@informatik.uni-erlangen.de URI: http://www7.informatik.uni-erlangen.de/~dressler Georg Carle University of Tuebingen Wilhelm-Schickard-Institute for Computer Science Auf der Morgenstelle 10C Tuebingen 71076 Germany Phone: +49 7071 29-70505 Email: carle@informatik.uni-tuebingen.de URI: http://net.informatik.uni-tuebingen.de/~carle/ Benoit Claise Cisco Systems, Inc. De Kleetlaan 6a b1 Degem 1813 Belgium Phone: +32 2 704 5622 Email: bclaise@cisco.com Dietz, et al. draft-ietf-psamp-info-07.txt [Page 49] Internet-Draft PSAMP Information Model October 2007 Paul Aitken Cisco Systems, Inc. 96 Commercial Quay Edinburgh EH6 6LX Scotland Phone: +44 131 561 3616 Email: paitken@cisco.com URI: http://www.cisco.com/ Dietz, et al. draft-ietf-psamp-info-07.txt [Page 50] Internet-Draft PSAMP Information Model October 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Dietz, et al. draft-ietf-psamp-info-07.txt [Page 51]